Istio 1.13.3 and cert-manager v1.8.0 http01 challange is not working

Security
1

Hello,
I am having a hard time getting cert-manager solving http01 challenges via istio gateway:
My environment is EKS 1.21
I install helm packages via helmfile:

repositories:
  - name: jetstack
    url: https://charts.jetstack.io
  - name: istio
    url: https://istio-release.storage.googleapis.com/charts
  - name: incubator
    url: https://charts.helm.sh/incubator

releases:

  # Installs cert-manager for automatic certificate management
  - name: cert-manager
    chart: jetstack/cert-manager
    version: v1.8.0  # helm search repo jetstack --versions
    namespace: cert-manager
    createNamespace: true
    values:
      - installCRDs: true

  # Installs istio base components
  - name: istio-base
    chart: istio/base
    version: 1.13.3  # helm search repo istio --versions
    namespace: istio-system
    createNamespace: true

  # Installs istiod
  - name: istiod
    chart: istio/istiod
    version: 1.13.3  # helm search repo istio --versions
    namespace: istio-system
    createNamespace: true
    values:
      - meshConfig:
          accessLogFile: /dev/stdout

        # Installs istio-ingress
  - name: istio-ingress
    chart: istio/gateway
    version: 1.13.3  # helm search repo istio --versions
    namespace: istio-ingress
    createNamespace: true
    needs:
      - istio-system/istio-base
      - istio-system/istiod

then a manifest file to get a certificate from letsencrypt:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    email: v@soft.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt
    solvers:
      - http01:
          ingress:
            class: istio
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: letsencrypt
  namespace: istio-system
spec:
  secretName: letsencrypt
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  dnsNames:
    - "ubuntu20v4.my-domain.com"

In istiod logs I see that cm-acme-http-solver-v98gt-virtualservice and cm-acme-http-solver-grjb2-gateway are pushed for creating but the problem is that there is no VirtualSerive nor Gateway resources in cluster and chanllenges can not be resolved.

Istiod logs:

2022-05-20T15:46:33.469084Z	info	ads	Push debounce stable[10] 12 for config VirtualService/istio-system/cm-acme-http-solver-v98gt-virtualservice and 6 more configs: 100.868094ms since last change, 259.614582ms since last push, full=true
2022-05-20T16:09:23.216647Z	info	ads	Push debounce stable[17] 12 for config Gateway/istio-system/cm-acme-http-solver-grjb2-gateway and 6 more configs: 100.157351ms since last change, 210.249766ms since last push, full=true

~/git/dev-k8s-cluster master > kubectl get ingresses.networking.k8s.io --all-namespaces                                                                             node 16.15.0 kube microk8s-context 18:15:30
NAMESPACE      NAME                        CLASS    HOSTS                            ADDRESS   PORTS   AGE
istio-system   cm-acme-http-solver-dcjlt   <none>   ubuntu20v4.pretty-solution.com             80      2m57s
~/git/dev-k8s-cluster master > kubectl get virtualservices.networking.istio.io --all-namespaces                                                                     node 16.15.0 kube microk8s-context 19:12:20
No resources found
~/git/dev-k8s-cluster master > kubectl get gateways.networking.istio.io --all-namespaces                                                                            node 16.15.0 kube microk8s-context 19:12:29
No resources found
~/git/cortex-dev-k8s-cluster master >

I’d appreciate any help
Thanks!

2

hey, did you happen to solve this? I have my cert after deleting and creating it again though I get now: net::ERR_CERT_AUTHORITY_INVALID, any hint will be very much appreciated!