Cert-manager - self check failed error

I am using istio as ingress controller and trying to get cert-manager working. Following is my setup

## Ingress yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
    # add an annotation indicating the issuer to use.
    kubernetes.io/ingress.class: istio
    cert-manager.io/cluster-issuer: letsencrypt-staging-clusterissuer
  name: <domain>-com-ing
  namespace: istio-system
  - host: <domain>
      - pathType: Prefix
        path: /
            name: myservice
              number: 80
  tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
  - hosts:
    - <domain>
    secretName: <domain>-cert 
$ kubectl get ingress -n istio-system
NAME                        CLASS    HOSTS                 ADDRESS    PORTS     AGE
cm-acme-http-solver-95sfq   <none>   <domain>   80        55m
<domain>-ing                <none>   <domain>   80, 443   55m

// note, i have proper routing to from my router.

$ kubectl get ingress/cm-acme-http-solver-95sfq -n istio-system -o json
    "apiVersion": "networking.k8s.io/v1",
    "kind": "Ingress",
    "metadata": {
        "annotations": {
            "kubernetes.io/ingress.class": "istio",
            "nginx.ingress.kubernetes.io/whitelist-source-range": ",::/0"
        "creationTimestamp": "2022-02-04T05:53:32Z",
        "generateName": "cm-acme-http-solver-",
        "generation": 1,
        "labels": {
            "acme.cert-manager.io/http-domain": "1265239940",
            "acme.cert-manager.io/http-token": "1441009452",
            "acme.cert-manager.io/http01-solver": "true"
        "name": "cm-acme-http-solver-95sfq",
        "namespace": "istio-system",
        "ownerReferences": [
                "apiVersion": "acme.cert-manager.io/v1",
                "blockOwnerDeletion": true,
                "controller": true,
                "kind": "Challenge",
                "name": "<domain>-cert-79msr-4068485403-3913127933",
                "uid": "a78b01cb-e401-4bde-b698-24bf065bc82e"
        "resourceVersion": "180647",
        "uid": "2b76230c-dfc5-4f29-bf10-c1a9b06f5759"
    "spec": {
        "rules": [
                "host": "<domain>",
                "http": {
                    "paths": [
                            "backend": {
                                "service": {
                                    "name": "cm-acme-http-solver-zjkqh",
                                    "port": {
                                        "number": 8089
                            "path": "/.well-known/acme-challenge/6vtfgrzt4h8d1EpeVihDFsunrYDH0Glzq8gO19pUcVY",
                            "pathType": "ImplementationSpecific"
    "status": {
        "loadBalancer": {
            "ingress": [
                    "ip": ""

Challenge Status: self check failed
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: failed to perform self check GET request ‘http:///.well-known/acme-challenge/6vtfgrzt4h8d1EpeVihDFsunrYDH0Glzq8gO19pUcVY’: Get “http:///.well-known/acme-challenge/6vtfgrzt4h8d1EpeVihDFsunrYDH0Glzq8gO19pUcVY”: context deadline exceeded (Client.Timeout exceeded while awaiting headers)
State: pending

I was able to hit the url from outside k8s environment:

 $ curl http://<domain>/.well-known/acme-challenge/6vtfgrzt4h8d1EpeVihDFsunrYDH0Glzq8gO19pUcVY


Note: same doesn’t work inside a pod, it’s trying to get public DNS ip rather than routing within mesh or hitting the ingress.

In istio, i know we can use VirtualService → hosts [] → http match → gateway [“mesh”] to internally route traffic for the matching domains. How can i acheive the same in Istio → Cert-manager Ingress resource method mentioned above? any suggestions?Preformatted text

1 Like