cert-manager-webhook-dnspod icon indicating copy to clipboard operation
cert-manager-webhook-dnspod copied to clipboard
verified publisher icon imroc

Error presenting challenge: the server is currently unable to handle the request (post dnspod.acme.imroc.cc)

Open liangjaden opened this issue 3 years ago • 12 comments

Status: Presented: false Processing: true Reason: the server is currently unable to handle the request (post dnspod.acme.imroc.cc) State: pending Events: Type Reason Age From Message

Normal Started 2m36s cert-manager-challenges Challenge scheduled for processing Warning PresentError 5s (x6 over 2m30s) cert-manager-challenges Error presenting challenge: the server is currently unable to handle the request (post dnspod.acme.imroc.cc)

liangjaden avatar Sep 29 '22 02:09 liangjaden

可以看看 cert-manager 和 webhook 的 pod 运行状态和日志

imroc avatar Sep 29 '22 07:09 imroc

[root@master-1 system]# kubectl logs cert-manager-7c8dcb88dc-8nzj6 -n cert-manager --tail 100 E0929 03:08:28.960148 1 controller.go:166] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="the server is currently unable to handle the request (post dnspod.local.gimcszjh.com)" "key"="cert-manager/local-gimc-crt-jwdvz-609886764-1640489819" I0929 03:08:33.960123 1 dns.go:88] cert-manager/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="local.gimcszjh.com" "domain"="local.gimcszjh.com" "resource_kind"="Challenge" "resource_name"="local-gimc-crt-jwdvz-609886764-1640489819" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01" E0929 03:08:33.961687 1 controller.go:166] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="the server is currently unable to handle the request (post dnspod.local.gimcszjh.com)" "key"="cert-manager/local-gimc-crt-jwdvz-609886764-1640489819"

liangjaden avatar Sep 29 '22 07:09 liangjaden

[root@master-1 system]# kubectl logs cert-manager-webhook-5774d5d8f7-b7r2t -n cert-manager --tail 100 I0929 02:13:20.326950 1 feature_gate.go:245] feature gates: &{map[]} W0929 02:13:20.327009 1 client_config.go:617] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work. I0929 02:13:20.335312 1 webhook.go:129] cert-manager "msg"="using dynamic certificate generating using CA stored in Secret resource" "secret_name"="cert-manager-webhook-ca" "secret_namespace"="cert-manager" I0929 02:13:20.335465 1 server.go:133] cert-manager/webhook "msg"="listening for insecure healthz connections" "address"=":6080" I0929 02:13:20.335506 1 server.go:197] cert-manager/webhook "msg"="listening for secure connections" "address"=":10250" I0929 02:13:21.345640 1 dynamic_source.go:266] cert-manager/webhook "msg"="Updated cert-manager webhook TLS certificate" "DNSNames"=["cert-manager-webhook","cert-manager-webhook.cert-manager","cert-manager-webhook.cert-manager.svc"] I0929 02:13:27.507486 1 logs.go:59] http: TLS handshake error from 172.23.202.128:50568: remote error: tls: bad certificate I0929 02:13:32.503202 1 logs.go:59] http: TLS handshake error from 172.23.202.128:50572: remote error: tls: bad certificate I0929 02:13:37.508979 1 logs.go:59] http: TLS handshake error from 172.23.202.128:51074: remote error: tls: bad certificate I0929 02:13:42.499059 1 logs.go:59] http: TLS handshake error from 172.23.202.128:51082: remote error: tls: bad certificate I0929 02:13:47.510127 1 logs.go:59] http: TLS handshake error from 172.23.202.128:47978: remote error: tls: bad certificate I0929 02:13:52.499953 1 logs.go:59] http: TLS handshake error from 172.23.202.128:47988: remote error: tls: bad certificate I0929 02:13:57.511898 1 logs.go:59] http: TLS handshake error from 172.23.202.128:35454: remote error: tls: bad certificate I0929 02:14:02.503811 1 logs.go:59] http: TLS handshake error from 172.23.202.128:35462: remote error: tls: bad certificate I0929 02:14:07.501541 1 logs.go:59] http: TLS handshake error from 172.23.202.128:57366: remote error: tls: bad certificate I0929 02:14:13.402774 1 logs.go:59] http: TLS handshake error from 192.168.31.21:49416: remote error: tls: bad certificate I0929 02:14:18.412360 1 logs.go:59] http: TLS handshake error from 192.168.31.21:49422: remote error: tls: bad certificate I0929 02:14:23.414457 1 logs.go:59] http: TLS handshake error from 192.168.31.21:51740: remote error: tls: bad certificate I0929 02:14:28.416373 1 logs.go:59] http: TLS handshake error from 192.168.31.21:51752: remote error: tls: bad certificate I0929 02:16:17.129348 1 logs.go:59] http: TLS handshake error from 172.23.202.128:46674: EOF I0929 02:16:17.145780 1 logs.go:59] http: TLS handshake error from 192.168.31.21:56036: EOF I0929 02:16:17.198062 1 logs.go:59] http: TLS handshake error from 172.23.202.128:46702: EOF I0929 02:16:17.205104 1 logs.go:59] http: TLS handshake error from 192.168.31.21:56046: EOF I0929 02:22:34.141107 1 logs.go:59] http: TLS handshake error from 192.168.31.21:59952: EOF I0929 02:52:42.400049 1 logs.go:59] http: TLS handshake error from 192.168.31.21:58302: EOF I0929 02:54:56.047989 1 logs.go:59] http: TLS handshake error from 192.168.31.21:49046: EOF I0929 03:08:13.875423 1 logs.go:59] http: TLS handshake error from 192.168.31.21:38134: EOF I0929 03:12:48.324994 1 logs.go:59] http: TLS handshake error from 192.168.31.21:45600: EOF I0929 03:24:31.373706 1 logs.go:59] http: TLS handshake error from 192.168.31.21:50392: EOF I0929 03:27:30.935697 1 logs.go:59] http: TLS handshake error from 192.168.31.21:34436: EOF

liangjaden avatar Sep 29 '22 07:09 liangjaden

[root@master-1 system]# kubectl logs cert-manager-webhook-dnspod-54fd6bf868-rjch6 -n cert-manager --tail 100 E0929 07:26:33.443603 1 authentication.go:53] Unable to authenticate the request due to an error: [x509: subject with cn=front-proxy-client is not in the allowed list, x509: certificate signed by unknown authority] E0929 07:26:33.443623 1 authentication.go:53] Unable to authenticate the request due to an error: [x509: subject with cn=front-proxy-client is not in the allowed list, x509: certificate signed by unknown authority] E0929 07:26:33.443606 1 authentication.go:53] Unable to authenticate the request due to an error: [x509: subject with cn=front-proxy-client is not in the allowed list, x509: certificate signed by unknown authority] E0929 07:26:33.443606 1 authentication.go:53] Unable to authenticate the request due to an error: [x509: subject with cn=front-proxy-client is not in the allowed list, x509: certificate signed by unknown authority] E0929 07:26:33.443606 1 authentication.go:53] Unable to authenticate the request due to an error: [x509: subject with cn=front-proxy-client is not in the allowed list, x509: certificate signed by unknown authority]

liangjaden avatar Sep 29 '22 07:09 liangjaden

[root@master-1 system]# kubectl get pods -n cert-manager -owide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES cert-manager-7c8dcb88dc-8nzj6 1/1 Running 0 5h16m 172.23.119.136 node-1 cert-manager-cainjector-bbdb88874-6s4m5 1/1 Running 0 5h16m 172.23.119.160 node-1 cert-manager-webhook-5774d5d8f7-b7r2t 1/1 Running 0 5h16m 172.25.235.96 master-2 cert-manager-webhook-dnspod-54fd6bf868-rjch6 1/1 Running 0 4h2m 172.23.119.159 node-1

liangjaden avatar Sep 29 '22 07:09 liangjaden

cert-manager 是什么版本?

imroc avatar Sep 29 '22 08:09 imroc

helm 安装的。v1.9.1

liangjaden avatar Sep 29 '22 08:09 liangjaden

我用yaml安装的1.9.1,正常使用 image

imroc avatar Sep 29 '22 08:09 imroc

试试全部清理,重装看看

imroc avatar Sep 29 '22 08:09 imroc

尝试清理后通过yaml安装报错信息一致。我中K8S环境是本地搭建的,k8s证书是通过cfssl配置。然后通过反向代理走公网域名访问。会受到这些环境影响吗

liangjaden avatar Sep 29 '22 08:09 liangjaden

按理应该不影响,可以在其它环境也尝试下,对比差异。我这边暂时没精力深入分析

imroc avatar Sep 29 '22 09:09 imroc

好的,感谢~

liangjaden avatar Sep 29 '22 09:09 liangjaden