kube-lego icon indicating copy to clipboard operation
kube-lego copied to clipboard

Published 20 hours ago verified publisher icon jetstack

Status code 401 during reachabily test

Open pdoreau opened this issue 7 years ago • 7 comments

Hello.

After adding the kube lego deployment these lines are printed :

time="2016-09-21T16:30:18Z" level=warning msg="wrong status code '401'" context=acme host=my-host.com 
time="2016-09-21T16:30:18Z" level=warning msg="Error while obtaining certificate: reachabily test failed for this cert" context=acme 
time="2016-09-21T16:30:23Z" level=debug msg="testing reachablity of http://my-host.com/.well-known/acme-challenge/_selftest" context=acme host=my-host.com

I'm using nginx controller with http auth. Can this be the cause ? How can pass the reachabily test ?

pdoreau avatar Sep 21 '16 16:09 pdoreau

I think that might be a regression of using http auth. Can you add more information:

  • kubectl get ingress -o yaml --all-namespaces
  • nginx-ingress config and version tag

simonswine avatar Sep 29 '16 12:09 simonswine

I'm having the same problem. It looks like nginx (instead of kube-lego) is claiming the /.well-known/ path

renaudguerin avatar Oct 05 '16 14:10 renaudguerin

@pdoreau additionally please post the nginx.conf from the ingress controller

aledbf avatar Oct 05 '16 14:10 aledbf

@aledbf : In my case there is no location for "/.well-known/acme-challenge/" in the generated nginx.conf in the controller. Could it just be that kube-lego needs to be started before the controller? Or a namespace issue (I have kube-lego in its own namespace, different from the nginx one) ?

renaudguerin avatar Oct 05 '16 14:10 renaudguerin

Right, for me the problem was caused by starting the ingress controller with "--watch-namespace=$(POD_NAMESPACE)" while kube-lego was in its own (different) namespace.

Removing watch-namespace to allow the controller to watch everything fixes that, however this isn't a good long term solution for people who use namespaces to isolate different environments (staging/prod, etc) and require an instance of the nginx controller in each.

I suppose I could also keep watch-namespace, and start kube-lego in the same namespace as the controller so they can see each other, however in order to keep environment isolation this would require an equivalent to "watch-namespace" added for kube-lego, so that it doesn't try grabbing all ingress objects regardless of namespace.

renaudguerin avatar Oct 05 '16 14:10 renaudguerin

Right, this is indeed a namespace problem. My nginx rc is configured with watch-namespace so the challenge request was handled by one of my service (which is protected by http auth) and not the kube-lego-nginx service. That's why 401 was responded.

It works well with a kube-lego deployment & service declared in the same namespace as my nginx rc / ingress.

pdoreau avatar Oct 06 '16 10:10 pdoreau

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Send feedback to jetstack. /lifecycle stale

retest-bot avatar Jun 05 '18 16:06 retest-bot