Comments (12)
Hello, what version of the nginx-ingress-controller you have deployed? The latest one, 0.8.3? I see the same problem as you with 0.8.3. Try 0.8.1, that one works for me. Now I'm trying to find out where is the problem...
from kube-lego.
One more thing, do you use the --watch-namespace
option with nginx-ingress-controller
?
from kube-lego.
Hi @stibi
what version of the nginx-ingress-controller you have deployed? The latest one, 0.8.3?
Yes. I used the 0.8.2 but couldn't make it work. Now 0.8.3 is deployed.
do you use the --watch-namespace option with nginx-ingress-controller
Yes.
from kube-lego.
0.8.2 is affected too, the problem is with the --watch-namespace
…without the option, it works.
I guess the namespace restriction somehow break the events listening in the nginx controller.
If you check the nginx.conf
, there is for example no ACME challenge location
rules (/.well-known/acme-challenge/...
). That's why the certificate request is not validated and issued.
I don't understand the whole thing yet, I have to check the nginx ingress controller code, but maybe someone here could explain it in more details.
from kube-lego.
Filtering on a namespace is not yet supported for kube-lego. If you only want to run kube-lego in a single namespace you could move kube-lego into that namespace.
from kube-lego.
Thanks @simonswine For each of my staging env (handled with namespaces) I need to deploy a kube-lego instance. Is that correct ?
Is filtering on a namespace planned for a future kube-lego release ?
from kube-lego.
I have this same 403 issue but with GKE. I also see it responding with a 200 to the request and returning Resolved to:\n\t\t104.y.y.y\n\tUsed: 104.y.y.y\n\n
.
from kube-lego.
Though I think I'm missing something based on https://blog.jetstack.io/blog/kube-lego/ since that says kube-lego
sets up a separate ingress that is to serve the response for /.well-known/acme-challenge/
and mine is going to the echoserver. It looks like @pdoreau 's is as well based on the output, \"CLIENT VALUES:\r\nclient_address=(
from kube-lego.
I am having a similar issue, although I use the GKE L7 ingress. Basically, the kube-lego pod is logging reachability failures, as reachability tests are routed to my web server which responds with a 404 error:
time="2016-11-02T16:37:56Z" level=debug msg="testing reachablity of http://www.realtime-music.com/.well-known/acme-challenge/_selftest" context=acme host=www.realtime-music.com
time="2016-11-02T16:37:57Z" level=warning msg="wrong status code '404'" context=acme host=www.realtime-music.com
time="2016-11-02T16:37:57Z" level=warning msg="Error while obtaining certificate: reachabily test failed for this cert"
I've followed the GCE example in setting my environment up.
from kube-lego.
@tsloughter @aknuds1 It works well on my side after adding kube-lego deployment under the namespace of the pods I want to secure.
from kube-lego.
@pdoreau You mean kube-lego should not be in its own namespace?
from kube-lego.
@aknuds1 I'm using nginx-controller with --watch-namespace
option. To make everything work, I used the same namespace everywhere : my pods (and services...), the ingress ressource, the nginx-controller and the kube-lego deployment
from kube-lego.
Related Issues (20)
- The tls-sni challenge has been disabled due to strong credibility of a vulnerability report HOT 4
- Adding heptio/contour support HOT 1
- Wildcard Certificate Support HOT 2
- Pull the complete certificate chain HOT 1
- Unsupported ingress class HOT 1
- renewal expiry date is incorrect HOT 1
- Support for Letsencrypt wildcard certificate HOT 1
- Let's Encrypt Wildcard Support HOT 9
- How safe is it to use Kube Lego in producation on v1.9+ of Kubernetes? HOT 2
- If one of the domains in an ingress fails reachability, kube-lego should not try to authorize any of the domains
- Pod kube-lego not starting HOT 4
- read udp i/o timeout HOT 4
- Does not seem to work on k8s 1.8.8-gke.0 HOT 6
- Failed to list *v1beta1.Ingress HOT 1
- creating new secret
- Auto-renewal of certificates is not being triggered in 0.1.6 HOT 2
- Memory Leak?
- kubernetes 1.10 on GCP cant create a GCE loadbalancer ingress without secret
- Add: kubernetes.io/tls-acme: 'true' annotation
- Archive the kube-lego repository
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kube-lego.