ClusterIssuer Failed to register ACME account with cert-manager

Question

I installed cert-manager with kubectl

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.0/cert-manager.yaml

I successfully obtained my resources :

my_user@vps-b123456:~$ k get all -n cert-manager
NAME                                           READY   STATUS    RESTARTS      AGE
pod/cert-manager-5fcfc99f7-mrjrn               1/1     Running   1 (17h ago)   25h
pod/cert-manager-cainjector-75cfc9f6b7-ntwd4   1/1     Running   3 (17h ago)   25h
pod/cert-manager-webhook-74b65dbf6f-kzp7w      1/1     Running   0             4h39m
pod/curl-deployment-6f95856b88-9cln2           1/1     Running   0             96s

NAME                           TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
service/cert-manager           ClusterIP   10.101.200.103   <none>        9402/TCP   25h
service/cert-manager-webhook   ClusterIP   10.99.166.135    <none>        443/TCP    25h

NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/cert-manager              1/1     1            1           25h
deployment.apps/cert-manager-cainjector   1/1     1            1           25h
deployment.apps/cert-manager-webhook      1/1     1            1           25h
deployment.apps/curl-deployment           1/1     1            1           3h24m

NAME                                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/cert-manager-5fcfc99f7               1         1         1       25h
replicaset.apps/cert-manager-cainjector-75cfc9f6b7   1         1         1       25h
replicaset.apps/cert-manager-webhook-74b65dbf6f      1         1         1       25h
replicaset.apps/curl-deployment-6f95856b88           1         1         1       3h24m

However, when I create a ClusterIssuer with a certificate, it seems that the ClusterIssuer registration with ACME is not working.

my_user@vps-b123456:~$ k logs cert-manager-5fcfc99f7-mrjrn -n cert-manager
...
I0605 21:25:21.806374       1 setup.go:225] "ACME server URL host and ACME private key registration host differ. Re-checking ACME account registration" logger="cert-manager.clusterissuers" resource_name="letsencrypt-prod" resource_namespace="" resource_kind="ClusterIssuer" resource_version="v1" related_resource_name="letsencrypt-prod-secret-key" related_resource_namespace="cert-manager" related_resource_kind="Secret"
E0605 21:25:21.842707       1 setup.go:265] "failed to register an ACME account" err="Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp 172.65.32.248:443: connect: connection refused" logger="cert-manager.clusterissuers" resource_name="letsencrypt-prod" resource_namespace="" resource_kind="ClusterIssuer" resource_version="v1" related_resource_name="letsencrypt-prod-secret-key" related_resource_namespace="cert-manager" related_resource_kind="Secret"
E0605 21:25:21.842746       1 sync.go:62] "error setting up issuer" err="Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp 172.65.32.248:443: connect: connection refused" logger="cert-manager.clusterissuers" resource_name="letsencrypt-prod" resource_namespace="" resource_kind="ClusterIssuer" resource_version="v1"
E0605 21:25:21.842806       1 controller.go:167] "re-queuing item due to error processing" err="Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp 172.65.32.248:443: connect: connection refused" logger="cert-manager.clusterissuers" key="letsencrypt-prod"

At the bottom of the describe output, I see that the connection was refused with ACME.

my_user@vps-b123456:~/k8s/ingress$ k get clusterissuer -n stratonation
NAME               READY   AGE
letsencrypt-prod   False   4h19m
my_user@vps-b123456:~/k8s/ingress$ k describe clusterissuer letsencrypt-prod -n stratonation
Name:         letsencrypt-prod
Namespace:    
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         ClusterIssuer
Metadata:
  Creation Timestamp:  2024-06-05T17:12:30Z
  Generation:          1
  Resource Version:    160637
  UID:                 d8338116-ba4c-4f38-a8c8-e0ab6fc23d17
Spec:
  Acme:
    Email:  [email protected]
    Private Key Secret Ref:
      Name:  letsencrypt-prod-secret-key
    Server:  https://acme-v02.api.letsencrypt.org/directory
    Solvers:
      http01:
        Ingress:
          Class:  nginx
Status:
  Acme:
  Conditions:
    Last Transition Time:  2024-06-05T17:13:00Z
    Message:               Failed to register ACME account: Get "https://acme-v02.api.letsencrypt.org/directory": dial tcp 172.65.32.248:443: connect: connection refused
    Observed Generation:   1
    Reason:                ErrRegisterACMEAccount
    Status:                False
    Type:                  Ready
Events:
  Type     Reason         Age                   From                         Message
  ----     ------         ----                  ----                         -------
  Warning  ErrInitIssuer  103s (x26 over 121m)  cert-manager-clusterissuers  Error initializing issuer: Get "https://acme-v02.api.letsencrypt.org/directory": dial tcp 172.65.32.248:443: connect: connection refused

I have all traffic open for my tests.

my_user@vps-b123456:~/k8s/ingress$ sudo iptables -L --line-number
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    cali-INPUT  all  --  anywhere             anywhere             /* cali:Cz_u1IQiXIMmKD4c */
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
3    KUBE-FIREWALL  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    cali-FORWARD  all  --  anywhere             anywhere             /* cali:wUHhoiAYhphO9Mso */
2    FLANNEL-FWD  all  --  anywhere             anywhere             /* flanneld forward */
3    ACCEPT     all  --  anywhere             anywhere             /* cali:S93hcgKJrXEqnTfs */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000
4    MARK       all  --  anywhere             anywhere             /* cali:mp77cMpurHhyjLrM */ MARK or 0x10000

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    cali-OUTPUT  all  --  anywhere             anywhere             /* cali:tVnHkvAo15HuiPy0 */
2    KUBE-FIREWALL  all  --  anywhere             anywhere

i have nothing insteresting in coredns logs:

my_user@vps-b123456:~/k8s/ingress$ k logs coredns-7c959b8749-wds6f -n kube-system
.:53
[INFO] plugin/reload: Running configuration SHA512 = 1738324c9bbcf1f65e6f15ff89dc70b4233e041641c7505b9e8b59c06e2693b4ec8076bc45bb8eb5bb2486f97476db226b7ffd55fead273980ea10a477458357
CoreDNS-1.10.0
linux/amd64, go1.19.1, 596a9f9

here is my ClusterIssuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: stratonation
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-prod-secret-key
    solvers:
      - http01:
          ingress:
            class: nginx

and my certificate:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-certificate
  namespace: stratonation
spec:
  secretName: letsencrypt-prod
  duration: 2160h # 90 days
  renewBefore: 720h # 30 days
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: exemple.com
  dnsNames:
    - exemple.com
  privateKey:
    algorithm: RSA
    size: 2048

Do you have any idea?

Kade Youn · Accepted Answer · 2024-06-07 06:54:24Z

Focusing on your error log

"ACME server URL host and ACME private key registration host differ.
...

Can you check your /etc/resolv.conf and DNS is working fine in your kubernetes?

According to similar error cases

https://github.com/cert-manager/cert-manager/issues/3394

https://stackoverflow.com/questions/57058270/kubernetes-cert-manager-ssl-error-verify-acme-account

People solved their problem by fixing resolv.conf

If there is some problem with DNS You can try

echo "nameserver 1.1.1.1" > /etc/resolv.conf
echo "nameserver 8.8.8.8" >> /etc/resolv.conf

or (Example for CoreDNS)

kubectl get configmap coredns -n kube-system -o yaml > coredns-configmap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: coredns
  namespace: kube-system
data:
  Corefile: |
    .:53 {
        errors
        health
        kubernetes cluster.local in-addr.arpa ip6.arpa {
            fallthrough in-addr.arpa ip6.arpa
        }
        prometheus :9153
        forward . 1.1.1.1 8.8.8.8
        cache 30
        loop
        reload
        loadbalance
    }

kubectl apply -f coredns-configmap.yaml

Then, restart coreDNS pod

Stack Exchange Network

ClusterIssuer Failed to register ACME account with cert-manager

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
networking
kubernetes
nginx-ingress
sysadmin
cert-manager
.

Hot Network Questions

ClusterIssuer Failed to register ACME account with cert-manager

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged networkingkubernetesnginx-ingresssysadmincert-manager.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
networking
kubernetes
nginx-ingress
sysadmin
cert-manager
.