Ingress for ACME-challenge not working (404)

Hello,

We are running Istio 1.1.3 on 1.12.5-gke.10 cluster-nodes.

We use certmanager for managing our let’s encrypt certificates.

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: certs.ourdomain.nl
  namespace: istio-system
spec:
  secretName: certs.ourdomain.nl
  newBefore: 360h # 15d
  commonName: operations.ourdomain.nl
  dnsNames:
    - operations.ourdomain.nl
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  acme:
    config:
      - http01:
          ingressClass: istio
        domains:
        - operations.ourdomain.nl

Next thing we see the acme backend, service (nodeport and ingress) deployed. The ingress (auto-generated) looks like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: istio
  generateName: cm-acme-http-solver-
  generation: 1
  labels:
    certmanager.k8s.io/acme-http-domain: "1734084804"
    certmanager.k8s.io/acme-http-token: "1476005735"
  name: cm-acme-http-solver-69vzw
  namespace: istio-system
  ownerReferences:
  - apiVersion: certmanager.k8s.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: Certificate
    name: certs.ourdomain.nl
    uid: 751011d2-4fc8-11e9-b20e-42010aa40101
spec:
  rules:
  - host: operations.ourdomain.nl
    http:
      paths:
      - backend:
          serviceName: cm-acme-http-solver-fzk8q
          servicePort: 8089
        path: /.well-known/acme-challenge/dnrcr-LRRMdXhBaUefjqpHQx8ytYuk-feEfXu9gW-Ck
status:
  loadBalancer: {}

However, when we try to access the url operations.ourdomain.nl /.well-known/acme-challenge/dnrcr-LRRMdXhBaUefjqpHQx8ytYuk-feEfXu9gW-Ck we get a 404.

We do have a loadbalancer for istio:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  labels:
    app: istio-ingress
    chart: gateways-1.1.0
    heritage: Tiller
    istio: ingress
    release: istio
  name: istio-ingress
  namespace: istio-system
spec:
  selector:
    app: istio-ingress
  servers:
  - hosts:
    - operations.ourdomain.nl
    port:
      name: http
      number: 80
      protocol: HTTP
    tls:
      httpsRedirect: true
  - hosts:
    - operations.ourdomain.nl
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      credentialName: certs.ourdomain.nl
      mode: SIMPLE
      privateKey: sds
     serverCertificate: sds

What’s going on? Why isn’t the ingress routing the inbound trafic? Any help would be more than welcom!

1 Like

Hello,

Are the 404’s showing up in the ingress-gateway logs?

I assume you are doing something like in the example: https://istio.io/docs/examples/advanced-gateways/ingress-certmgr/. If so, did HTTP work?

In the istio ingress (docker.io/istio/node-agent-k8s:1.1.3) I do get some interesting logs:

warn Secret object: letsencrypt has empty field, skip update
warn Secret object: letsencrypt-staging has empty field, skip update
“GET /.well-known/acme-challenge/WWVTqAHf89uqumxI02ti1I_GGhBE7B2QbfoZJIltZGI HTTP/1.1” 301 - “-” 0 0 0 - “10.16.20.1” “Go-http-client/1.1” “ff8e9880-c017-4f39-a893-d4c30b5da0b2” “operations.ourdomain.nl” “-” - - 10.16.20.167:80 10.16.20.1:43254 -
“GET /.well-known/acme-challenge/WWVTqAHf89uqumxI02ti1I_GGhBE7B2QbfoZJIltZGI HTTP/2” 404 NR “-” 0 0 0 - “10.16.20.1” “Go-http-client/2.0” “e6b2cf8e-ed8e-49b0-8dfa-ff407d3b366f” “operations.ourdomain.nl” “-” - - 10.16.20.167:443 10.16.20.1:54376 operations.ourdomain.nl

What is the empty field all about? It’s a line that comes around every 20 seconds or so.
The permanent redirect… what does it redirect to? Is it the permanent redirect to https? And what about the 404 with a http/2? More information, but also more questions :slight_smile:

When I do a curl the acme challenge url does a permanent redirect to https. So I guess my problem is that the ingressclass istio does not come before the istio-gateway… the gateway catches the request and because there is no corresponding virtualservice it throws a 404 back at you. More people should have a similar issue if this is the case.

Hi all,

if ones uses the gateway in ISTIO, the routing is managed by the virtual services, which extend the gateway.
The certmanager implements ingress.extension in the case of using the ISTIO as ingressclass.

Does anyone know how to get the Certmanage included in ISTIO working with the gateway?

Thanks in advance.
Greetings,
Jan

P.S.: Using ISTIO-1.1.3 in the IBM Cloud Kubernetes Service with 1.13.5-IKS

1 Like

Hi again,

helped me to get certmanager issuing a cert for four domains successfully using gateway and virtualservice againt letsencrypt-stage.

Best,
Jan

Hello, How about new version (1.1.7). In document (https://istio.io/docs/examples/advanced-gateways/ingress-certmgr/) the are using ingress resource but how about we want to use Gateway + VirtualService + http01.

Thanks!

2 Likes