Error presenting challenge: the server is currently unable to handle the request
simiwe opened this issue · comments
ClusterIssuer:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# Change to your letsencrypt email
email: xx@aa.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: spoil-twinkle-rob-therein
solvers:
- dns01:
webhook:
groupName: acme.yourcompany.com
solverName: alidns
config:
region: ""
accessKeySecretRef:
name: alidns-secret
key: access-key
secretKeySecretRef:
name: alidns-secret
key: secret-key
kubectl describe challenges.acme.cert-manager.io
...
tatus:
Presented: false
Processing: true
Reason: the server is currently unable to handle the request (post alidns.acme.yourcompany.com)
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 10s cert-manager Challenge scheduled for processing
Warning PresentError 5s (x3 over 10s) cert-manager Error presenting challenge: the server is currently unable to handle the request (post alidns.acme.yourcompany.com)
kubectl version
Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.5", GitCommit:"20c265fef0741dd71a66480e35bd69f18351daea", GitTreeState:"clean", BuildDate:"2019-10-15T19:16:51Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"17+", GitVersion:"v1.17.4-gke.10", GitCommit:"302b55804ee4a09c6ad5be81a380a3f333f72fcf", GitTreeState:"clean", BuildDate:"2020-04-14T17:30:11Z", GoVersion:"go1.13.8b4", Compiler:"gc", Platform:"linux/amd64"}
cert-manager is v0.14.1.
How to set the groupName
?
When I set the groupName
to xxx.com
, I got the following error message:
alidns.xxx.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "alidns" in API group "xxx.com" at the cluster scope
Status:
Presented: false
Processing: true
Reason: alidns.xxx.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "alidns" in API group "xxx.com" at the cluster scope
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 11s cert-manager Challenge scheduled for processing
Warning PresentError 6s (x3 over 11s) cert-manager Error presenting challenge: alidns.xxx.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "alidns" in API group "xxx.com" at the cluster scope
Hi simicn,
GroupName should be set the same as group names of CRDs in bundle.yaml. So if you changed groupName to xxx.com
, you also need to change bundle.yaml.
For the first question, please check the log of the alidns-webhook pod, might be caused by wrong alicloud access key or letsencrypt account.
Hi simicn,
GroupName should be set the same as group names of CRDs in bundle.yaml. So if you changed groupName to
xxx.com
, you also need to change bundle.yaml.For the first question, please check the log of the alidns-webhook pod, might be caused by wrong alicloud access key or letsencrypt account.
Thanks for your help
I set the groupName
of the ClusterIssuer as 'xxx.com'
and also changed all occurrences of groupName
in bundle.yml, but I still got the similar error:
Error presenting challenge: the server is currently unable to handle the request (post alidns.xxx.com)
Was the request of post alidns.xxx.com
sent by cert-manager itself ?
I set the
groupName
of the ClusterIssuer as'xxx.com'
and also changed all occurrences ofgroupName
in bundle.yml, but I still got the similar error:Error presenting challenge: the server is currently unable to handle the request (post alidns.xxx.com)
Was the request of
post alidns.xxx.com
sent by cert-manager itself ?
@kaelzhang Please check the log of the alidns-webhook pod, might be caused by wrong alicloud access key or letsencrypt account.
Thanks for your reply.
Seems cert-manager
eats all logs and I could only see those logs of RunWebhookServer
but no logs of the webhook.
Or anywhere else I could check the logs, or how to turn on log output ?
Please check the metadata.name of APIService resource for the webhook.
If you changed group name, you have to change the apiservice resource name in bundle.yml.
If you hadn't set apiservice name properly, you could find some error logs in kube-apiserver logs.
Please refer to k8s api extension document for more information.
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.acme.yourcompany.com
labels:
app: alidns-webhook
annotations:
cert-manager.io/inject-ca-from: "cert-manager/alidns-webhook-webhook-tls"
spec:
group: acme.yourcompany.com
groupPriorityMinimum: 1000
versionPriority: 15
service:
name: alidns-webhook
namespace: cert-manager
version: v1alpha1
I had changed metadata.name
& spec.group
of APIService, container.env.GROUP_NAME
of deployment, and apiGroups.0
of ClusterRole in bundle.yml before I saw the Error presenting challenge
Could you please upload your bundle.yml here?