godaddy-webhook icon indicating copy to clipboard operation
godaddy-webhook copied to clipboard

Published 20 hours ago verified publisher icon snowdrop

Error presenting challenge cannot create resource "godaddy" in API group "acme.amprajin.in" at the cluster scope

Open PRAJINPRAKASH opened this issue 1 year ago • 6 comments

Error presenting challenge: godaddy.acme.amprajin.in is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "godaddy" in API group "acme.amprajin.in" at the cluster scope

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # ACME Server
    # prod : https://acme-v02.api.letsencrypt.org/directory
    # staging : https://acme-staging-v02.api.letsencrypt.org/directory
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # ACME Email address
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-staging # staging or production
    solvers:
    - selector:
        dnsNames:
        - '*.amprajin.in'
      dns01:
        webhook:
          config:
            apiKeySecretRef:
              name: godaddy-api-key
              key: token
            production: true
            ttl: 600
          groupName: acme.amprajin.in
          solverName: godaddy

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-amprajin-in
spec:
  secretName: wildcard-amprajin-in-tls
  renewBefore: 240h
  dnsNames:
  - '*.amprajin.in'
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer

PRAJINPRAKASH avatar Mar 27 '23 13:03 PRAJINPRAKASH

did you figure this out? i have the same exact issue

spencertr avatar Mar 30 '23 03:03 spencertr

Have you tried creating a ClusterRole and a ClusterRoleBinding like someone else stated online here

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: dns-challenge-missing-role
rules:
- apiGroups: ["acme.amprajin.in"] # "" indicates the core API group
  resources: ["godaddy"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dns-challenge-missing-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dns-challenge-missing-role
subjects:
- kind: ServiceAccount
  name: cert-manager
  namespace: cert-manager

giacomotontini avatar May 04 '23 14:05 giacomotontini

Can we close this ticket if you have been able to resolve it ? @PRAJINPRAKASH

cmoulliard avatar Sep 18 '23 16:09 cmoulliard

This error happens when installing godaddy-webhook using the kubectl apply -f ... method. The cert-manager.yaml have the string acme.mycompany.com hard-coded for the groupName. What you have to do is download that file and replace that value with the value you want.

OR

Install it using Helm with helm upgrade --install -n cert-manager godaddy-webhook godaddy-webhook/godaddy-webhook --set groupName=acme.YOURCOMPANY.com

ckt114 avatar Feb 04 '24 03:02 ckt114

Can you propose a PR to improve the readme file of this project to warn the user and propose solutions as you suggested ? @ckt114

cmoulliard avatar Feb 08 '24 12:02 cmoulliard

@cmoulliard https://github.com/snowdrop/godaddy-webhook/pull/42

ckt114 avatar Feb 09 '24 20:02 ckt114