Issue with Waiting for HTTP-01 challenge propagation: failed to perform self check GET request from ACME challenges

I’ve been stuck on this issue for a while now, and even though this is a common issue, I can’t seem to figure it out why the fixes proposed here ( do not work for me.

Here’s my manifests: nginx-service.yaml code
kind: Service apiVersion: v1 metadata: name: ingress-nginx annotations: # See” namespace: ingress-nginx labels: ingress-nginx ingress-nginx spec: externalTrafficPolicy: Local type: LoadBalancer selector: ingress-nginx ingress-nginx ports: - name: http port: 80 targetPort: http - name: https port: 443 targetPort: https


apiVersion: kind: ClusterIssuer metadata: name: letsencrypt-cluster-issuer spec: acme: server: email: privateKeySecretRef: name: letsencrypt-cluster-issuer-key solvers: - http01: ingress: class: nginx


apiVersion: kind: Certificate metadata: name: echo-cert namespace: default spec: dnsNames: - secretName: echo-tls issuerRef: name: letsencrypt-cluster-issuer kind: ClusterIssuer

The url provided by the challenge is accessible via browser and wget, so I'm assuming the issue is with the network within the cluster. Does anyone know how do I fix this issue?

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

Hello Gabriel, I ran into the same issue today.

First, I assume that in the dnsNames of the certificate is a typo. I would have used :

As I installed DigitalOcean “NGINX Ingress Controller” from the 1-Click Apps, I already had the two first annotations below. I only had to add the last line to make it work:

apiVersion: v1
kind: Service
  name: ingress-nginx-controller
  namespace: ingress-nginx
  annotations: xxxxxxx "true" ""

The difference I can see in your configuration is the lack of second annotation: “true”

Here’s a good article explaining this step:

I hope it helps.

Finally, until things work I suggest using the staging Let’s Encript url instead of the production one.

More information about this here :

“Let’s Encrypt imposes fairly strict limits on requests to ACME servers. To avoid unnecessary load on LE’s production environment, we recommend using the letsencrypt-staging certificate for testing (the difference is in the ACME server only).”

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel