0
1
I have a 4 node kubernetes cluster deployed with kubespray
. I wanted to do nginx for ingress, with LetsEncrypt certificates. I followed this guide for cert-manager to get started (skipping step 1 because tiller was already configured by kubespray).
I deployed the letsencrypt-staging
as a ClusterIssuer:
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: my-email
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
I port forwarded ports 80 and 443 to the external IP (acquired from metalLB) of the nginx-ingress-controller, and have dns entries added for LAN side requests. At this point, I can access the endpoint by its FQDN on both http and https (with the invalid default certificate), both inside my LAN and outside.
But it fails to get a certificate. When I check the cert-manager
pod logs, I see the following:
Calling GetAccount
cert-manager/controller/clusterissuers "msg"="failed to verify ACME account" "error"="Get https://acme-staging-v02.api.letsencrypt.org/directory: dial tcp MY-WAN-IP:443: i/o timeout" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-staging" "related_resource_namespace"="cert-manager" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-staging" "resource_namespace"=""
cert-manager/controller/clusterissuers "msg"="error setting up issuer" "error"="Get https://acme-staging-v02.api.letsencrypt.org/directory: dial tcp MY-WAN-IP:443: i/o timeout" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-staging" "resource_namespace"=""
cert-manager/controller/clusterissuers "msg"="re-queuing item due to error processing" "error"="Get https://acme-staging-v02.api.letsencrypt.org/directory: dial tcp MY-WAN-IP:443: i/o timeout" "key"="letsencrypt-staging"
When I do curl -kivL -H 'Host: example.your-domain.com' 'http://my-wan-ip'
to test the connection, it connects just fine, (but provides an invalid certificate on 443). I tested using curl
from multiple outside sources.
So why am I getting the timeout error when it seems like it can connect just fine?