for alidns-webhook error about alidns-webhook HOT 23 CLOSED

Could you please paste logs from the alidns-webhook pod?
And have you changed anything of bundle.yaml?

from alidns-webhook.

Yes, I changed your bundle.yaml, beause the apiversion "certmanager.k8s.io/v1alpha1" is old

then I changed the apiversion to "cert-manager.io/v1alpha2"

from alidns-webhook.

@pragkent and the alidns-pod logs is

from alidns-webhook.

@pragkent the pod error is "I0311 09:06:21.887651 1 log.go:172] http: TLS handshake error from 192.168.40.115:44962: remote error: tls: bad certificate" Why?

from alidns-webhook.

Please check your bundle.yaml, I think you also need to change annotations of APIService from

certmanager.k8s.io/inject-ca-from: "cert-manager/alidns-webhook-webhook-tls

to

cert-manager.io/inject-ca-from: "cert-manager/alidns-webhook-webhook-tls

from alidns-webhook.

@pragkent After changing this file, I still have this error
I0312 07:27:54.904753 1 log.go:172] http: TLS handshake error from 192.168.40.115:57886: remote error: tls: bad certificate I0312 07:28:20.022454 1 log.go:172] http: TLS handshake error from 192.168.40.115:57950: remote error: tls: bad certificate I0312 07:28:20.105644 1 log.go:172] http: TLS handshake error from 192.168.40.115:57952: remote error: tls: bad certificate I0312 07:28:22.278387 1 log.go:172] http: TLS handshake error from 192.168.40.115:57966: remote error: tls: bad certificate

from alidns-webhook.

@pragkent Have you tested this feature yourself recently?

from alidns-webhook.

Have not. I only tested on cert-manager 0.8.1.
What's your cert-manager version?

from alidns-webhook.

@pragkent My cert-manager is 0.13,Can you test it on the new version? I think your warehouse is the official webhook

from alidns-webhook.

@Hello-Linux ok, I'll have a test. I'll get back to you later.

from alidns-webhook.

bad certificate +1

from alidns-webhook.

@Hello-Linux it's my fault.
The DNS names used in webhook-tls is wrong, which caused tls handshake error.

And according to the current RBAC settings, the webhook pod need access right of alidns-secret,
so it would be easier to use ClusterIssuer instead of Issuer, and create alidns-secret in cert-manager namespace.

You can find detail here:
fix

from alidns-webhook.

@yinfxs Please try master branch.

from alidns-webhook.

@pragkent No problem now?

from alidns-webhook.

@pragkent I just tested it and it still doesn't work

from alidns-webhook.

I tested this on my machine, it works fine.
Could you please paste your bundle.yaml, cert and issuer here?

from alidns-webhook.

And the tls certificate contents:

kubectl describe cert -n cert-manager alidns-webhook-webhook-tls

from alidns-webhook.

bundle.zip

@pragkent
My clusterIssuer is

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-http01
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [email protected]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-http01
    solvers:
    - http01: # ACME HTTP-01 solver configurations
        ingress:
          class: nginx
      selector:
        dnsNames:
        - 'spagobi.nihao.com'
        - 'fortress.nihao.com'
    - dns01:
        webhook:
          groupName: acme.yourcompany.com
          solverName: alidns
          config:
            region: ""
            accessKeySecretRef:
              name: alidns-secret
              key: access-key
            secretKeySecretRef:
              name: alidns-secret
              key: secret-key
      selector:
        dnsNames:
        - 'jira.nihao.com'
        - 'wiki.nihao.com'

my Certificate.yaml is

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: jira
  namespace: common
spec:
  secretName: jira-server-tls
  issuerRef:
    name: letsencrypt-http01
    kind: ClusterIssuer
  commonName: jira.nihao.com
  dnsNames:
  - jira.nihao.com
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: wiki
  namespace: common
spec:
  secretName: wiki-server-tls
  issuerRef:
    name: letsencrypt-http01
    kind: ClusterIssuer
  commonName: wiki.nihao.com
  dnsNames:
  - wiki.nihao.com

from alidns-webhook.

Hmm... I just tested your bundle.yaml on a brand new gke cluster, and it works.

pragkent@cloudshell:~$ kubectl logs -n cert-manager alidns-webhook-6d9b499464-gsjmq
I0314 02:08:11.486549       1 secure_serving.go:116] Serving securely on [::]:443
I0314 02:11:57.312131       1 solver.go:47] Presenting txt record: _acme-challenge.jira.nihao2.com. com.

The webhook pod is serving https traffic using tls cert saved in cert-manager/alidns-webhook-webhook-tls.

Maybe you can try to delete the webhook resources and apply them again?

kubectl delete -f bundle.yaml
# also delete tls secrets generated by webhook certificates.
kubectl delete secret -n cert-manager alidns-webhook-webhook-tls alidns-webhook-ca

from alidns-webhook.

@pragkent Succeeded! Just delete and re-create it.

from alidns-webhook.

Cool, then I'll close the issue for now.

from alidns-webhook.

@pragkent ok

from alidns-webhook.

@pragkent and the alidns-pod logs is

Got the same issue.
Just delete the pod alidns-webhook-, after the new pod is created. The error is gone and certificate is in READY status.

from alidns-webhook.