Cert manager not working after nginx migration

[spoorthyredi2]

Recently we have migrated from using Community maintained Kubernetes Controller to NIC (3.3.0) and Nginx (1.25.2)
Post that the Auto renewal of TLS Certificates is failing .
The Http-01 challenges are failing with 404 or 403 errors.

Waiting for HTTP-01 challenge propagation: wrong status code '403', expected '200', Processing: true, Presented: true

During the time of renewal a new ingress for acme gets created but looks like its not reachable from nginx and hence the request gets routed instead to cert-manager instead of the acme solver pod .

Cert manager Webhook logs -
I1205 06:12:31.009927 1 dynamic_source.go:266] cert-manager/webhook "msg"="Updated cert-manager webhook TLS certificate" "DNSNames"=["cert-manager-webhook","cert-manager-webhook.cert-manager","cert-manager-webhook.cert-manager.svc"]
I1208 11:21:07.746462 1 logs.go:59] http: TLS handshake error from 10.0.1.4:51434: EOF

As per most users, such issues occur because the challenge request cannot route to acme solver pod. How can I rule out nginx issue here ?

[spoorthyredi2]

Noticed my current ClusterIssuer has

spec:
  acme:
    email: <fghjkl>
    preferredChain: ""
    privateKeySecretRef:
      name: letsencrypt
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: nginx

and when I try to update it to
ingressClassName: nginx
I get , unknown field "spec.acme.solvers[0].http01.ingress.ingressClassName"

What is the right way to give class name in ClusterIssuer?

(edited)

[jasonwilliams14]

@spoorthyredi2 let us know if that fixes it for you. I was planning on doing some testing tomorrow as I had some curiosities of my own. 👍

[shaun-nx]

Hi @spoorthyredi2 if the answer. that @jasonwilliams14 gave you works, can you mark it as the answer? This helps us keep track of what questions have and have not been successfully answered. It also gives us confidence in closing the discussion if the issue was resolved.

Thanks!

[spoorthyredi2]

@jasonwilliams14 @shaun-nx Not yet . I have installed 1.12 cert manager now. the cert manager Self checks are still failing at the moment. Apparently the fix is to disable http to https redirect on ingress. However there seems to be no direct annotation available for it .. .

This is the error I see.

Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://testing.dev.leapmetrics.io/.well-known/acme-challenge/VEVLx5ABvyXbv2pvHHL7vfGwTn9jc1NPjTPEPuIfuxE': Get "https://testing.dev.leapmetrics.io:443/.well-known/acme-challenge/VEVLx5ABvyXbv2pvHHL7vfGwTn9jc1NPjTPEPuIfuxE": remote error: tls: unrecognized name

Also, the annotation is forcing cert-manager to create a temporary certificate. So removed it . Hence there is a new acme solver ingress. and it isnt resolved due to this error below -

Is there a way to fix this by not adding edit-in-place ?

[spoorthyredi2]

E0301 12:46:55.136024 1 sync.go:190] "cert-manager/challenges: propagation check failed" err="failed to perform self check GET request 'http://testing.dev.leapmetrics.io/.well-known/acme-challenge/VEVLx5ABvyXbv2pvHHL7vfGwTn9jc1NPjTPEPuIfuxE': Get \"https://testing.dev.leapmetrics.io:443/.well-known/acme-challenge/VEVLx5ABvyXbv2pvHHL7vfGwTn9jc1NPjTPEPuIfuxE\": remote error: tls: unrecognized name" resource_name="marchnow-5rd5r-3109991469-2079860296" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dnsName="testing.dev.leapmetrics.io" type="HTTP-01"

[jjngx]

@spoorthyredi2 could you please update us if this is solved?