Getting 403 urn:acme:error:unauthorized: Account creation on ACMEv1

Question

Getting 403 urn:acme:error:unauthorized: Account creation on ACMEv1

salimbene opened this issue 5 years ago · comments

When I add the annotations to my route

metadata:
  annotations:
    kubernetes.io/tls-acme: "true"

I notice the following error on openshift-acme:
403 urn:acme:error:unauthorized: Account creation on ACMEv1

I1029 15:27:01.256284       1 route.go:385] Started syncing Route "mobile-office/mobile-office-lb" (2019-10-29 15:27:01.256276003 +0000 UTC m=+497907.871877433)
I1029 15:27:03.373213       1 route.go:387] Finished syncing Route "mobile-office/mobile-office-lb" (2.116908979s)
I1029 15:27:03.373246       1 route.go:718] Error syncing Route mobile-office/mobile-office-lb: failed to get ACME client: 403 urn:acme:error:unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
I1029 15:27:03.383454       1 route.go:385] Started syncing Route "mobile-office/mobile-office-lb" (2019-10-29 15:27:03.383445272 +0000 UTC m=+497909.999046703)
I1029 15:27:05.875666       1 route.go:387] Finished syncing Route "mobile-office/mobile-office-lb" (2.492207975s)
E1029 15:27:05.875708       1 route.go:728] failed to get ACME client: 403 urn:acme:error:unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
I1029 15:27:05.875723       1 route.go:729] Dropping Route "mobile-office/mobile-office-lb" out of the queue: failed to get ACME client: 403 urn:acme:error:unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
I1029 15:28:13.188061       1 reflector.go:357] github.com/tnozicka/openshift-acme/pkg/cmd/openshift-acme-controller/cmd.go:257: Watch close - *v1.Route total 1 items received

I've used these commands to run acme cluster-wide:

oc create -fdeploy/letsencrypt-staging/cluster-wide/{clusterrole,serviceaccount,imagestream,deployment}.yaml
oc adm policy add-cluster-role-to-user openshift-acme -z openshift-acme

@tnozicka

Tomáš Nožička commented 5 years ago

yw

/close

Matias Salimbene · Answer 1 · Wed Oct 30 2019 02:15:09 GMT+0800 (China Standard Time)

I tried deleting the instance I had installed that was cluster-wide and retried using the namespace wide and It worked just fine. Does this make any sense? I would prefer to have it running cluster-wide so I don't need to deploy acme for each namespace.

Tomáš Nožička · Answer 2 · Wed Oct 30 2019 18:22:01 GMT+0800 (China Standard Time)

letsencrypt-staging should be letsencrypt-live - staging registrations are already disabled for a while. You probably used the correct "live" for single-namespace.

Matias Salimbene · Answer 3 · Wed Oct 30 2019 19:21:25 GMT+0800 (China Standard Time)

letsencrypt-staging should be letsencrypt-live - staging registrations are already disabled for a while. You probably used the correct "live" for single-namespace.

@tnozicka Exactly right. Thanks for your support Tomáš. Much appreciated.

OpenShift CI Robot · Answer 4 · Wed Oct 30 2019 21:01:03 GMT+0800 (China Standard Time)

@tnozicka: Closing this issue.

In response to this:

yw

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.