I have a k3s setup and am trying to get my ingress configured with tls but the certificates are not getting signed by the CA. The error I am getting is given below:
Name: tls-cert-grafana
Namespace: grafana
Created at: 2023-09-01T17:00:42+09:00
Conditions:
Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
Issuing: False, Reason: Failed, Message: The certificate request has failed to complete and will be retried: Failed to wait for order resource "tls-cert-grafana-c7m5b-3111432917" to become ready: order is in "errored" state: Failed to create Order: 400 urn:ietf:params:acme:error:rejectedIdentifier: The server will not issue certificates for the identifier
DNS Names:
- grafana.my-network.com
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 2m41s cert-manager-certificates-trigger Issuing certificate as Secret does not exist
Normal Generated 2m40s cert-manager-certificates-key-manager Stored new private key in temporary Secret resource "tls-cert-grafana-zd2d5"
Normal Requested 2m40s cert-manager-certificates-request-manager Created new CertificateRequest resource "tls-cert-grafana-c7m5b"
Warning Failed 2m40s cert-manager-certificates-issuing The certificate request has failed to complete and will be retried: Failed to wait for order resource "tls-cert-grafana-c7m5b-3111432917" to become ready: order is in "errored" state: Failed to create Order: 400 urn:ietf:params:acme:error:rejectedIdentifier: The server will not issue certificates for the identifier
Issuer:
Name: my-acme01
Kind: ClusterIssuer
Conditions:
Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
Events: <none>
error when finding Secret "tls-cert-grafana": secrets "tls-cert-grafana" not found
Not Before: <none>
Not After: <none>
Renewal Time: <none>
CertificateRequest:
Name: tls-cert-grafana-c7m5b
Namespace: grafana
Conditions:
Approved: True, Reason: cert-manager.io, Message: Certificate request has been approved by cert-manager.io
Ready: False, Reason: Failed, Message: Failed to wait for order resource "tls-cert-grafana-c7m5b-3111432917" to become ready: order is in "errored" state: Failed to create Order: 400 urn:ietf:params:acme:error:rejectedIdentifier: The server will not issue certificates for the identifier
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal WaitingForApproval 2m40s cert-manager-certificaterequests-issuer-acme Not signing CertificateRequest until it is Approved
Normal WaitingForApproval 2m40s cert-manager-certificaterequests-issuer-ca Not signing CertificateRequest until it is Approved
Normal WaitingForApproval 2m40s cert-manager-certificaterequests-issuer-vault Not signing CertificateRequest until it is Approved
Normal WaitingForApproval 2m40s cert-manager-certificaterequests-issuer-venafi Not signing CertificateRequest until it is Approved
Normal WaitingForApproval 2m40s cert-manager-certificaterequests-issuer-selfsigned Not signing CertificateRequest until it is Approved
Normal cert-manager.io 2m40s cert-manager-certificaterequests-approver Certificate request has been approved by cert-manager.io
Normal OrderCreated 2m40s cert-manager-certificaterequests-issuer-acme Created Order resource grafana/tls-cert-grafana-c7m5b-3111432917
Warning OrderFailed 2m40s (x2 over 2m40s) cert-manager-certificaterequests-issuer-acme Failed to wait for order resource "tls-cert-grafana-c7m5b-3111432917" to become ready: order is in "errored" state: Failed to create Order: 400 urn:ietf:params:acme:error:rejectedIdentifier: The server will not issue certificates for the identifier
Order:
Name: tls-cert-grafana-c7m5b-3111432917
State: errored, Reason: Failed to create Order: 400 urn:ietf:params:acme:error:rejectedIdentifier: The server will not issue certificates for the identifier
No Authorizations for this Order
FailureTime: 2023-09-01T17:00:43+09:00
No Challenges found for this Certificate
Here are the yaml files for resources
Issuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: my-acme01
spec:
acme:
email: <my-own-email>
server: <https-address-to-my-acme>
privateKeySecretRef:
name: acme-issuer
solvers:
- http01:
ingress:
class: nginx
serviceType: ClusterIP
Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: grafana
namespace: grafana
annotations:
cert-manager.io/acme-challenge-type: http01
cert-manager.io/cluster-issuer: my-acme01
ingress.kubernetes.io/ssl-redirect: "false"
spec:
ingressClassName: nginx
rules:
- host: grafana.my-network.com
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: grafana
port:
number: 80
tls:
- hosts:
- grafana.my-network.com
secretName: tls-cert-grafana
Note: cert-manager is installed via helm, currently at version v1.12.3
Has anyone faced a similar issue or can help troubleshoot this?
Summary: Tried securing k8s ingress for grafana using cert-manager and an external ACME CA but based on the certificate logs "No Challenges found for this Certificate" and "State: errored, Reason: Failed to create Order: 400 urn:ietf:params:acme:error:rejectedIdentifier: The server will not issue certificates for the identifier". I am not sure how to troubleshoot this and need some support.
Issue is resolved, the subdomain had to be whitelisted for the AMCE server to allow signing certificates