Acme timeout when using cert-manager to get certificates in kubernetes

0

1

I have a 4 node kubernetes cluster deployed with kubespray. I wanted to do nginx for ingress, with LetsEncrypt certificates. I followed this guide for cert-manager to get started (skipping step 1 because tiller was already configured by kubespray).

I deployed the letsencrypt-staging as a ClusterIssuer:

---
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: my-email
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
      - http01:
          ingress:
            class:  nginx

I port forwarded ports 80 and 443 to the external IP (acquired from metalLB) of the nginx-ingress-controller, and have dns entries added for LAN side requests. At this point, I can access the endpoint by its FQDN on both http and https (with the invalid default certificate), both inside my LAN and outside.

But it fails to get a certificate. When I check the cert-manager pod logs, I see the following:

 

Calling GetAccount

cert-manager/controller/clusterissuers "msg"="failed to verify ACME account" "error"="Get https://acme-staging-v02.api.letsencrypt.org/directory: dial tcp MY-WAN-IP:443: i/o timeout" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-staging" "related_resource_namespace"="cert-manager" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-staging" "resource_namespace"=""

cert-manager/controller/clusterissuers "msg"="error setting up issuer" "error"="Get https://acme-staging-v02.api.letsencrypt.org/directory: dial tcp MY-WAN-IP:443: i/o timeout" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-staging" "resource_namespace"=""

cert-manager/controller/clusterissuers "msg"="re-queuing item due to error processing" "error"="Get https://acme-staging-v02.api.letsencrypt.org/directory: dial tcp MY-WAN-IP:443: i/o timeout" "key"="letsencrypt-staging"

 

When I do curl -kivL -H 'Host: example.your-domain.com' 'http://my-wan-ip' to test the connection, it connects just fine, (but provides an invalid certificate on 443). I tested using curl from multiple outside sources.

So why am I getting the timeout error when it seems like it can connect just fine?

cclloyd

Posted 2019-08-22T09:50:23.803

Reputation: 331

No answers

Asked: 2019-08-22T09:50:23.803

Viewed: 259 times

Active: 2019-08-22T09:50:23.803