ingress-controller icon indicating copy to clipboard operation
ingress-controller copied to clipboard

Published 20 hours ago verified publisher icon pomerium

support plaintext ingress for HTTP01 challenges

Open wasaga opened this issue 1 year ago • 0 comments

Currently, we automatically redirect from port 80 to 443. That causes HTTP01 cert-manager challenges to fail if client CA is configured.

This is unfortunately non trivial to change, as all routes are configured in listener on port 443, while port 80 is doing just redirects.

unfortunately there's no way to disable client cert request just for the HTTP01 challenges as this is configured per port (443) and as such, HTTP01 challenges are fundamentally incompatible with mTLS. You have to use a different cert-manager Issuer challenge type, such as DNS.

Wouldn't it be possible to disable the https redirect on port 80 for the ACME challenge routes? That way we circumvent the problem entirely.

EDIT: Background info: Let's Encrypt verifies the challenges using plaintext requests but follows redirects.

Originally posted by @andsens in https://github.com/pomerium/ingress-controller/issues/697#issuecomment-1642112691

wasaga avatar Jul 19 '23 15:07 wasaga