Well - Have setup and build my own cluster for starting to learn the kubernetes way of doing things (and I like it - not that it means I’m fully understand it )
Cluster information:
Kubernetes version:
Client Version: v1.29.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.0
Cloud being used: bare-metal at home
Installation method: Build on Proxmox as a VM
Host OS: DietPI
CNI and version:
CRI and version:
I’ve trying to setup and do a lot of things with kubernetes for learning how it works. I’m now about ingress and certificate manager. - since I’m using hetzner as DNS provider - but still hosted on my little server at home:
4 nodes - 16GB disk and 8GB RAM - One node have an extra harddisc attached - shared as nfs
1 controlplane (2NIC) 16GB disc 8GB RAM (controlplane 172.16.10.1/24) - application IP 192.168.200.15/32 (Dynamictly reserved IP)
My issues is about the certificate manager issuing certificate - is not working - I’ve followed these guides: Install ingress with Helm - Securing NGINX-ingress - cert-manager Documentation
Deploying Certmanager through Helm - Helm - cert-manager Documentation
Installing Hetzner webhook - GitHub - vadimkim/cert-manager-webhook-hetzner: cert-manager webhook for Hetzner DNS API
Created a ClusterIssuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: support@domain.dk
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
webhook:
# This group needs to be configured when installing the helm package
groupName: acme.domain.dk
solverName: hetzner
config:
secretName: hetzner-secret
zoneName: domain.dk
apiUrl: https://dns.hetzner.com/api/v1
But when I trying to deploy a certificate for my defalt webside (a simple nginx container) it’ll fail - and I can not find where it goes wrong here:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: domain-nginx
annotations:
cert-manager.io/issuer: "letsencrypt-staging"
spec:
ingressClassName: nginx
tls:
- hosts:
- p-cluster01.domain.dk
secretName: p-cluster-tls
rules:
- host: p-cluster01.domain.dk
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: domain-nginx
port:
number: 80
But the certificate are nok getting issued - I can only find this:
kubectl get certificate
NAME READY SECRET AGE
p-cluster-tls False p-cluster-tls 3m5s
domain-release-cert-manager-webhook-hetzner-ca True domain-release-cert-manager-webhook-hetzner-ca 24h
domain-release-cert-manager-webhook-hetzner-webhook-tls True domain-release-cert-manager-webhook-hetzner-webhook-tls 24h
My ingress seems to work sionce I’m getting thrioug to the domain - but itll just using the Kubernetes Ingress Controller Fake Certificate, routing to the right container, but invalid certificate - So not sure where this is gone wrong since the certificate are not issued. Through describe certificate I can see these lines:
Status:
Conditions:
Last Transition Time: 2024-01-11T12:19:13Z
Message: The certificate request has failed to complete and will be retried: Failed to wait for order resource "p-cluster-tls-1-981099206" to become ready: order is in "invalid" state:
Observed Generation: 1
Reason: Failed
Status: False
Type: Issuing
Last Transition Time: 2024-01-11T12:18:51Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: False
Type: Ready
Failed Issuance Attempts: 1
Last Failure Time: 2024-01-11T12:19:13Z
Trying to get some more information - with describe order:
Name: p-cluster-tls-1-981099206
Namespace: default
Labels: <none>
Annotations: cert-manager.io/certificate-name: p-cluster-tls
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: p-cluster-tls-qnlw4
API Version: acme.cert-manager.io/v1
Kind: Order
Metadata:
Creation Timestamp: 2024-01-11T12:18:52Z
Generation: 1
Owner References:
API Version: cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: CertificateRequest
Name: p-cluster-tls-1
UID: 7e3b6aaa-ee06-4264-8bcd-774b6c05767f
Resource Version: 1061405
UID: ec3d300b-319f-4760-9bbb-d06b5bc2a944
Spec:
Dns Names:
p-cluster01.domain.dk
Issuer Ref:
Group: cert-manager.io
Kind: Issuer
Name: letsencrypt-staging
Request: BLABLABLA long requiest
Status:
Authorizations:
Challenges:
Token: zuHyRNlLw0A1uHIAm7aF5V8wRylmq0hvE_UufmWJbYY
Type: http-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/303065694176/R1ZZcQ
Token: zuHyRNlLw0A1uHIAm7aF5V8wRylmq0hvE_UufmWJbYY
Type: dns-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/303065694176/ZJq6pw
Token: zuHyRNlLw0A1uHIAm7aF5V8wRylmq0hvE_UufmWJbYY
Type: tls-alpn-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/303065694176/sMmXHQ
Identifier: p-cluster01.domain.dk
Initial State: pending
URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/303065694176
Wildcard: false
Failure Time: 2024-01-11T12:19:13Z
Finalize URL: https://acme-v02.api.letsencrypt.org/acme/finalize/1510858506/235887738056
State: invalid
URL: https://acme-v02.api.letsencrypt.org/acme/order/1510858506/235887738056
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 20m cert-manager-orders Created Challenge resource "p-cluster-tls-1-981099206-4201779940" for domain "p-cluster01.domain.dk"
So I’ve searched the forum and not finding anything that makes it work - but can see others have the same issue - without resolving them ?
So what am I doing worng sine my certificates are not created