Error presenting challenge: the server is currently unable to handle the request about alidns-webhook HOT 9 CLOSED

When I set the groupName to xxx.com, I got the following error message:

alidns.xxx.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "alidns" in API group "xxx.com" at the cluster scope

Status:
  Presented:   false
  Processing:  true
  Reason:      alidns.xxx.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "alidns" in API group "xxx.com" at the cluster scope
  State:       pending
Events:
  Type     Reason        Age               From          Message
  ----     ------        ----              ----          -------
  Normal   Started       11s               cert-manager  Challenge scheduled for processing
  Warning  PresentError  6s (x3 over 11s)  cert-manager  Error presenting challenge: alidns.xxx.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "alidns" in API group "xxx.com" at the cluster scope

from alidns-webhook.

Hi simicn,

GroupName should be set the same as group names of CRDs in bundle.yaml. So if you changed groupName to xxx.com, you also need to change bundle.yaml.

For the first question, please check the log of the alidns-webhook pod, might be caused by wrong alicloud access key or letsencrypt account.

from alidns-webhook.

Hi simicn,

GroupName should be set the same as group names of CRDs in bundle.yaml. So if you changed groupName to xxx.com, you also need to change bundle.yaml.

For the first question, please check the log of the alidns-webhook pod, might be caused by wrong alicloud access key or letsencrypt account.

Thanks for your help

from alidns-webhook.

I set the groupName of the ClusterIssuer as 'xxx.com' and also changed all occurrences of groupName in bundle.yml, but I still got the similar error:

Error presenting challenge: the server is currently unable to handle the request (post alidns.xxx.com)

Was the request of post alidns.xxx.com sent by cert-manager itself ?

from alidns-webhook.

I set the groupName of the ClusterIssuer as 'xxx.com' and also changed all occurrences of groupName in bundle.yml, but I still got the similar error:

Error presenting challenge: the server is currently unable to handle the request (post alidns.xxx.com)

Was the request of post alidns.xxx.com sent by cert-manager itself ?

@kaelzhang Please check the log of the alidns-webhook pod, might be caused by wrong alicloud access key or letsencrypt account.

from alidns-webhook.

Thanks for your reply.

Seems cert-manager eats all logs and I could only see those logs of RunWebhookServer but no logs of the webhook.

Or anywhere else I could check the logs, or how to turn on log output ?

from alidns-webhook.

Please check the metadata.name of APIService resource for the webhook.
If you changed group name, you have to change the apiservice resource name in bundle.yml.
If you hadn't set apiservice name properly, you could find some error logs in kube-apiserver logs.
Please refer to k8s api extension document for more information.

apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  name: v1alpha1.acme.yourcompany.com
  labels:
    app: alidns-webhook
  annotations:
    cert-manager.io/inject-ca-from: "cert-manager/alidns-webhook-webhook-tls"
spec:
  group: acme.yourcompany.com
  groupPriorityMinimum: 1000
  versionPriority: 15
  service:
    name: alidns-webhook
    namespace: cert-manager
  version: v1alpha1

from alidns-webhook.

I had changed metadata.name & spec.group of APIService, container.env.GROUP_NAME of deployment, and apiGroups.0 of ClusterRole in bundle.yml before I saw the Error presenting challenge

from alidns-webhook.

Could you please upload your bundle.yml here?

from alidns-webhook.