Question

404 letsencrypt challenge on VPS with kubernetes

DNS side On my DNS management provider (directAdmin) I have 2 A records pointing to my droplet ip (www, example.com). In my browser I get the default DA page (something amazing will be constructed here). With curl I get my webpage when i go to http://example.com and a cert issue when I try the https. So far understandable for me because my letsencrypt status is false.

K3s side Here I have a single node k3s environment on a droplet. Traefik Ingress routes are succesfully tested on server using curl. However my https lets encrypt config does not work with the following config

The challenge fails with the following output:

Accepting challenge authorization failed: acme: authorization error for example.com: 403 urn:ietf:params:acme:error:unauthorized: 2a03:b0c0:2:d0::14bf:4001: Invalid response from https://example.com/.well-known/acme-challenge/q-5BZ4t4ucyE5gLiIrMQccmhzOlqnTbtxxyofOH9r7c: 404
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
  namespace: default
spec:
  acme:
    email: *****
    privateKeySecretRef:
      name: staging-issuer-account-key
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    solvers:
      - http01:
          ingress:
            ingressTemplate:
              metadata:
                annotations:
                  kubernetes.io/ingress.class: traefik
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: traefik-ingress
  annotations:
    #nginx.ingress.kubernetes.io/rewrite-target: /
    kubernetes.io/ingress.class: "traefik"
    cert-manager.io/cluster-issuer: letsencrypt-staging
spec:
  tls:
    - secretName: example-com
      hosts:
        - example.com
  rules:
  - host: "example.com"
    http:
      paths:
      - pathType: Prefix
        path: "/api/"
        backend:
          service:
            name: example-backend
            port:
              number: 8080
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: example-ui
            port:
              number: 80
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com
  namespace: default
spec:
  secretName: example-tls
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  commonName: example.com
  dnsNames:
  - example.com

I am relatively new to the ops side of developing and I do not know if more info is needed. Thanks in advance!


Submit an answer
Answer a question...

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

KFSys
Site Moderator
Site Moderator badge
January 27, 2023

Hi @chris2301,

I’m not entirely sure as I’ve not had to deal that much with this, however you can edit your cert-manager deployment and add

spec:
 hostAliases:
     - hostnames:
       - example.com
       ip: 127.0.0.1 # replace with the ip