Cert manager - not working as intended

Well - Have setup and build my own cluster for starting to learn the kubernetes way of doing things (and I like it - not that it means I’m fully understand it )

Cluster information:

Kubernetes version:
Client Version: v1.29.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.0
Cloud being used: bare-metal at home
Installation method: Build on Proxmox as a VM
Host OS: DietPI
CNI and version:
CRI and version:

I’ve trying to setup and do a lot of things with kubernetes for learning how it works. I’m now about ingress and certificate manager. - since I’m using hetzner as DNS provider - but still hosted on my little server at home:
4 nodes - 16GB disk and 8GB RAM - One node have an extra harddisc attached - shared as nfs
1 controlplane (2NIC) 16GB disc 8GB RAM (controlplane 172.16.10.1/24) - application IP 192.168.200.15/32 (Dynamictly reserved IP)

My issues is about the certificate manager issuing certificate - is not working - I’ve followed these guides: Install ingress with Helm - Securing NGINX-ingress - cert-manager Documentation
Deploying Certmanager through Helm - Helm - cert-manager Documentation
Installing Hetzner webhook - GitHub - vadimkim/cert-manager-webhook-hetzner: cert-manager webhook for Hetzner DNS API

Created a ClusterIssuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: support@domain.dk
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
      - dns01:
          webhook:
            # This group needs to be configured when installing the helm package
            groupName: acme.domain.dk
            solverName: hetzner
            config:
              secretName: hetzner-secret
              zoneName: domain.dk
              apiUrl: https://dns.hetzner.com/api/v1

But when I trying to deploy a certificate for my defalt webside (a simple nginx container) it’ll fail - and I can not find where it goes wrong here:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: domain-nginx
  annotations:
    cert-manager.io/issuer: "letsencrypt-staging"
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - p-cluster01.domain.dk
    secretName: p-cluster-tls
  rules:
  - host: p-cluster01.domain.dk
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: domain-nginx
            port:
              number: 80

But the certificate are nok getting issued - I can only find this:
kubectl get certificate
NAME READY SECRET AGE
p-cluster-tls False p-cluster-tls 3m5s
domain-release-cert-manager-webhook-hetzner-ca True domain-release-cert-manager-webhook-hetzner-ca 24h
domain-release-cert-manager-webhook-hetzner-webhook-tls True domain-release-cert-manager-webhook-hetzner-webhook-tls 24h

My ingress seems to work sionce I’m getting thrioug to the domain - but itll just using the Kubernetes Ingress Controller Fake Certificate, routing to the right container, but invalid certificate - So not sure where this is gone wrong since the certificate are not issued. Through describe certificate I can see these lines:

Status:
  Conditions:
    Last Transition Time:    2024-01-11T12:19:13Z
    Message:                 The certificate request has failed to complete and will be retried: Failed to wait for order resource "p-cluster-tls-1-981099206" to become ready: order is in "invalid" state: 
    Observed Generation:     1
    Reason:                  Failed
    Status:                  False
    Type:                    Issuing
    Last Transition Time:    2024-01-11T12:18:51Z
    Message:                 Issuing certificate as Secret does not exist
    Observed Generation:     1
    Reason:                  DoesNotExist
    Status:                  False
    Type:                    Ready
  Failed Issuance Attempts:  1
  Last Failure Time:         2024-01-11T12:19:13Z

Trying to get some more information - with describe order:

Name:         p-cluster-tls-1-981099206
Namespace:    default
Labels:       <none>
Annotations:  cert-manager.io/certificate-name: p-cluster-tls
              cert-manager.io/certificate-revision: 1
              cert-manager.io/private-key-secret-name: p-cluster-tls-qnlw4
API Version:  acme.cert-manager.io/v1
Kind:         Order
Metadata:
  Creation Timestamp:  2024-01-11T12:18:52Z
  Generation:          1
  Owner References:
    API Version:           cert-manager.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  CertificateRequest
    Name:                  p-cluster-tls-1
    UID:                   7e3b6aaa-ee06-4264-8bcd-774b6c05767f
  Resource Version:        1061405
  UID:                     ec3d300b-319f-4760-9bbb-d06b5bc2a944
Spec:
  Dns Names:
    p-cluster01.domain.dk
  Issuer Ref:
    Group:  cert-manager.io
    Kind:   Issuer
    Name:   letsencrypt-staging
  Request:  BLABLABLA long requiest
Status:
  Authorizations:
    Challenges:
      Token:        zuHyRNlLw0A1uHIAm7aF5V8wRylmq0hvE_UufmWJbYY
      Type:         http-01
      URL:          https://acme-v02.api.letsencrypt.org/acme/chall-v3/303065694176/R1ZZcQ
      Token:        zuHyRNlLw0A1uHIAm7aF5V8wRylmq0hvE_UufmWJbYY
      Type:         dns-01
      URL:          https://acme-v02.api.letsencrypt.org/acme/chall-v3/303065694176/ZJq6pw
      Token:        zuHyRNlLw0A1uHIAm7aF5V8wRylmq0hvE_UufmWJbYY
      Type:         tls-alpn-01
      URL:          https://acme-v02.api.letsencrypt.org/acme/chall-v3/303065694176/sMmXHQ
    Identifier:     p-cluster01.domain.dk
    Initial State:  pending
    URL:            https://acme-v02.api.letsencrypt.org/acme/authz-v3/303065694176
    Wildcard:       false
  Failure Time:     2024-01-11T12:19:13Z
  Finalize URL:     https://acme-v02.api.letsencrypt.org/acme/finalize/1510858506/235887738056
  State:            invalid
  URL:              https://acme-v02.api.letsencrypt.org/acme/order/1510858506/235887738056
Events:
  Type    Reason   Age   From                 Message
  ----    ------   ----  ----                 -------
  Normal  Created  20m   cert-manager-orders  Created Challenge resource "p-cluster-tls-1-981099206-4201779940" for domain "p-cluster01.domain.dk"

So I’ve searched the forum and not finding anything that makes it work - but can see others have the same issue - without resolving them ?
So what am I doing worng sine my certificates are not created