Ingress for GoDaddy Domain - using cert-manager and let's encrypt

Siradj-Eddine-Fisli · January 8, 2024, 3:36pm

i’am trying to configure ingress for godaddy domain, using cert-manager and let’s encrypt.
I followed this tuto : https://github.com/snowdrop/godaddy-webhook/blob/main/README.md ( used Issuer instead of ClusterIssuer)
but i got some issues here are logs from godaddy webhook and cert-manager pods:

cert logs: E0108 15:20:50.814963 1 controller.go:167] "cert-manager/challenges: re-queuing item due to error processing" err="Unable to check the TXT record: ### Unexpected HTTP status: 401" key="default/wildcard-adeiz-com-tls-1-1087293611-828888654"

al1 · January 8, 2024, 3:47pm

Did you create an API Key and Token? Or are you trying to use a username and password?

Siradj-Eddine-Fisli · January 8, 2024, 5:30pm

i used the api token , token: api_token:secret

al1 · January 8, 2024, 6:13pm

I just checked my records. I only had an API Token. My Secret looked like this:

apiVersion: v1
kind: Secret
metadata:
  name: godaddy-api-key
  type: Opaque
stringData:
  token: B9dFHuJHiFI_uUFEHiu8748hfji483huejfekj

Siradj-Eddine-Fisli · January 8, 2024, 7:56pm

Oh yea right i just changed it and i got new problelm in the cert-manager log :

E0108 19:44:15.302561       1 controller.go:167] "cert-manager/challenges: re-queuing item due to error processing" err="the server is currently unable to handle the request (post godaddy.acme.mycompany.com)" key="default/wildcard-adeiz-com-tls-1-1087293611-828888654"

al1 · January 8, 2024, 10:32pm

If you have been tying things out using the production API you have probably run into rate limits. Get it working with staging first and then change the endpoint.
You can look at the challenge for more details:

kubectl describe challenge wildcard-adeiz-com-tls-1-1087293611-828888654 -n default

Siradj-Eddine-Fisli · January 9, 2024, 5:53am

You mean when i create the godaddy api i choose the other ote option instead production ? also there no much info in the challenge crd.

Siradj-Eddine-Fisli · January 9, 2024, 10:25am

kube-api-server logs:

E0109 10:23:48.861324       1 controller.go:116] loading OpenAPI spec for "v1alpha1.acme.mycompany.com" failed with: OpenAPI spec does not exist
I0109 10:23:48.861370       1 controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.mycompany.com: Rate Limited Requeue.

al1 · January 9, 2024, 12:15pm

Looks like you still have some items to configure. I don’t think it should be mycompany.com

Siradj-Eddine-Fisli · January 9, 2024, 12:17pm

there is also an error in the webhook logs:

E0109 12:13:21.657691       1 runtime.go:77] Observed a panic: runtime error: index out of range [1] with length 1

Siradj-Eddine-Fisli · January 9, 2024, 12:33pm

when i used other config for the groupName i got an issue :

Error presenting challenge: godaddy.acme.testps.adeiz.com is forbidden: User `"system:serviceaccount:cert-manager:cert-manager" cannot create resource "godaddy" in API group "acme.testps.adeiz.com" at the cluster scope`

so i followed this : cannot create resource "dynu" in API group "dynu-webhook" · Issue #1 · Dopingus/cert-manager-webhook-dynu · GitHub

But still have an error in the cainjector pod:

E0108 13:45:34.080600       1 sources.go:106] "cert-manager: unable to fetch associated certificate" err="Certificate.cert-manager.io \"godaddy-webhook-webhook-tls\" not found" kind="apiservice" kind="apiservice" name="v1alpha1.acme.mycompany.com" certificate="cert-manager/godaddy-webhook-webhook-tls"
I0108 13:45:34.080643       1 reconciler.go:118] "cert-manager: could not find any ca data in data source for target" kind="apiservice" kind="apiservice" name="v1alpha1.acme.mycompany.com"

webhook logs:

E0109 12:13:21.657691       1 runtime.go:77] Observed a panic: runtime error: index out of range [1] with length 1

api-server logs:

E0109 10:23:48.861324       1 controller.go:116] loading OpenAPI spec for "v1alpha1.acme.mycompany.com" failed with: OpenAPI spec does not exist
I0109 10:23:48.861370       1 controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.mycompany.com: Rate Limited Requeue.

al1 · January 9, 2024, 6:36pm

I followed the guide using ClusterIssuer and I was able to create a wildcard cert. Why do you need Issuer type?

Siradj-Eddine-Fisli · January 9, 2024, 8:09pm

i tried them both and same result, could you provide your configuration files please ?

al1 · January 9, 2024, 10:08pm

I literally followed the guide but used cluster issuer. Uninstall the helm chart and delete the secret and start over with ClusterIssuer.

Siradj-Eddine-Fisli · January 10, 2024, 8:12am

i will try thanks, by the way did you change groupName or u set the default value "acme.mycompany.com"?

al1 · January 10, 2024, 11:17am

No I did not change the group name.

I watched a describe of the order and it completed in about a minute.

Siradj-Eddine-Fisli · January 10, 2024, 11:19am

that’s weird i also followed the same steps and it did not work, anyway i created an issue on the repo. Thanks so much for your time and efforts i really appreciate it.

al1 · January 10, 2024, 11:19am

What is the issue now when using ClusterIssuer?

al1 · January 10, 2024, 11:25am

token: <api_key:secret> # echo -n "<api_key:secret>" | base64

You don’t encode the token you just copy and paste it as is.

Siradj-Eddine-Fisli · January 10, 2024, 12:15pm

i just edited it now

Used ClusterIssuer
edited godaddy-api-secret → api_key:secret

same error and same logs