Giters

pragkent / alidns-webhook

Cert manager acme dns01 webhook provider for alidns

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Error presenting challenge: the server is currently unable to handle the request

simiwe opened this issue · comments

commented

ClusterIssuer:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # Change to your letsencrypt email
    email: xx@aa.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: spoil-twinkle-rob-therein
    solvers:
    - dns01:
        webhook:
          groupName: acme.yourcompany.com
          solverName: alidns
          config:
            region: ""
            accessKeySecretRef:
              name: alidns-secret
              key: access-key
            secretKeySecretRef:
              name: alidns-secret
              key: secret-key

kubectl describe challenges.acme.cert-manager.io

...
tatus:
  Presented:   false
  Processing:  true
  Reason:      the server is currently unable to handle the request (post alidns.acme.yourcompany.com)
  State:       pending
Events:
  Type     Reason        Age               From          Message
  ----     ------        ----              ----          -------
  Normal   Started       10s               cert-manager  Challenge scheduled for processing
  Warning  PresentError  5s (x3 over 10s)  cert-manager  Error presenting challenge: the server is currently unable to handle the request (post alidns.acme.yourcompany.com)

kubectl version
Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.5", GitCommit:"20c265fef0741dd71a66480e35bd69f18351daea", GitTreeState:"clean", BuildDate:"2019-10-15T19:16:51Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"17+", GitVersion:"v1.17.4-gke.10", GitCommit:"302b55804ee4a09c6ad5be81a380a3f333f72fcf", GitTreeState:"clean", BuildDate:"2020-04-14T17:30:11Z", GoVersion:"go1.13.8b4", Compiler:"gc", Platform:"linux/amd64"}

cert-manager is v0.14.1.

How to set the groupName?

commented

When I set the groupName to xxx.com, I got the following error message:

alidns.xxx.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "alidns" in API group "xxx.com" at the cluster scope

Status:
  Presented:   false
  Processing:  true
  Reason:      alidns.xxx.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "alidns" in API group "xxx.com" at the cluster scope
  State:       pending
Events:
  Type     Reason        Age               From          Message
  ----     ------        ----              ----          -------
  Normal   Started       11s               cert-manager  Challenge scheduled for processing
  Warning  PresentError  6s (x3 over 11s)  cert-manager  Error presenting challenge: alidns.xxx.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "alidns" in API group "xxx.com" at the cluster scope
commented

Hi simicn,

GroupName should be set the same as group names of CRDs in bundle.yaml. So if you changed groupName to xxx.com, you also need to change bundle.yaml.

For the first question, please check the log of the alidns-webhook pod, might be caused by wrong alicloud access key or letsencrypt account.

commented

Hi simicn,

GroupName should be set the same as group names of CRDs in bundle.yaml. So if you changed groupName to xxx.com, you also need to change bundle.yaml.

For the first question, please check the log of the alidns-webhook pod, might be caused by wrong alicloud access key or letsencrypt account.

Thanks for your help

commented

I set the groupName of the ClusterIssuer as 'xxx.com' and also changed all occurrences of groupName in bundle.yml, but I still got the similar error:

Error presenting challenge: the server is currently unable to handle the request (post alidns.xxx.com)

Was the request of post alidns.xxx.com sent by cert-manager itself ?

commented

I set the groupName of the ClusterIssuer as 'xxx.com' and also changed all occurrences of groupName in bundle.yml, but I still got the similar error:

Error presenting challenge: the server is currently unable to handle the request (post alidns.xxx.com)

Was the request of post alidns.xxx.com sent by cert-manager itself ?

@kaelzhang Please check the log of the alidns-webhook pod, might be caused by wrong alicloud access key or letsencrypt account.

commented

Thanks for your reply.

Seems cert-manager eats all logs and I could only see those logs of RunWebhookServer but no logs of the webhook.

Or anywhere else I could check the logs, or how to turn on log output ?

commented

Please check the metadata.name of APIService resource for the webhook.
If you changed group name, you have to change the apiservice resource name in bundle.yml.
If you hadn't set apiservice name properly, you could find some error logs in kube-apiserver logs.
Please refer to k8s api extension document for more information.

apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  name: v1alpha1.acme.yourcompany.com
  labels:
    app: alidns-webhook
  annotations:
    cert-manager.io/inject-ca-from: "cert-manager/alidns-webhook-webhook-tls"
spec:
  group: acme.yourcompany.com
  groupPriorityMinimum: 1000
  versionPriority: 15
  service:
    name: alidns-webhook
    namespace: cert-manager
  version: v1alpha1
commented

I had changed metadata.name & spec.group of APIService, container.env.GROUP_NAME of deployment, and apiGroups.0 of ClusterRole in bundle.yml before I saw the Error presenting challenge

commented

Could you please upload your bundle.yml here?