Trouble getting Cert-Manager and Istio to work in Scaleway

Hi all

I spend all day trying to get Cert-Manager to issue a certificate for my Gateway in my new Scaleway cluster. The challenge gets a “connection refused” and my cm-acme-ingress is stuck without an address (is that supposed to happen)? Would be amazing if someone could help me. This is the Ingress:

istio-system   cm-acme-http-solver-9hpzk   istio    test.grpc.nuntio.io                                               80        46m

Also, here is my setup:
Certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: {{ .Release.Name }}-istio-cert
  namespace: istio-system
spec:
  secretName: {{ .Release.Name }}-istio-cert
  issuerRef:
    name: {{ .Release.Name }}-istio-issuer
    kind: ClusterIssuer
  commonName: {{ .Values.certificate.commonName }}
  dnsNames:
  {{- range .Values.certificate.dnsNames }}
    - {{ . }}
  {{- end }}

Cluster issuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: {{ .Release.Name }}-istio-issuer
spec:
  acme:
    # The ACME server URL
    server: {{ .Values.istioIssuer.server }}
    # Email address used for ACME registration
    email: {{ .Values.istioIssuer.email }}
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: {{ .Release.Name }}-istio-secret
    # Enable the HTTP-01 challenge provider
    solvers:
      - http01:
          ingress:
            class:  istio

Gateway:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: {{ .Release.Name }}-gateway
  namespace: {{ .Release.Namespace | default "default" }}
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName:  {{ .Release.Name }}-istio-cert
      serverCertificate: "use sds" # random string, because serverCertificate and privateKey are required for tls.mode=SIMPLE
      privateKey: "use sds"
    hosts:
      {{- range .Values.certificate.dnsNames }}
      - {{ . }}
      {{- end }}

Virtual service:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: vs
  namespace: {{ .Release.Namespace | default "default" }}
spec:
  hosts:
    {{- range .Values.certificate.dnsNames }}
    - "{{ . }}"
    {{- end }}
  gateways:
    - {{ .Release.Name }}-gateway
  http:
  - match:
    - uri:
        prefix: /Nuntio.NuntioConnectPublicService/
    - uri:
        prefix: /grpc.reflection.v1alpha.ServerReflection/
    route:
      - destination:
          host: {{ .Release.Name }}-connect-public
          port:
            number: {{ .Values.nuntioConnectService.authClusterIp.port }}
          subset: v1
    corsPolicy:
      allowOrigin:
        - "*"
      allowMethods:
        - POST
        - GET
        - OPTIONS
        - PUT
        - DELETE
      allowHeaders:
        - grpc-timeout
        - content-type
        - keep-alive
        - user-agent
        - cache-control
        - content-type
        - content-transfer-encoding
        - custom-header-1
        - x-accept-content-transfer-encoding
        - x-accept-response-streaming
        - x-grpc-web
        - x-user-agent
      maxAge: 1728s
      exposeHeaders:
        - custom-header-1
        - grpc-status
        - grpc-message
  - match:
    - uri:
        prefix: /Nuntio.NuntioDashboardService/
    route:
      - destination:
          host: {{ .Release.Name }}-dashboard
          port:
            number: {{ .Values.nuntioDashboardService.dashboardClusterIp.port }}
          subset: v1
    corsPolicy:
      allowOrigin:
        - "*"
      allowMethods:
        - POST
        - GET
        - OPTIONS
        - PUT
        - DELETE
      allowHeaders:
        - grpc-timeout
        - content-type
        - keep-alive
        - user-agent
        - cache-control
        - content-type
        - content-transfer-encoding
        - custom-header-1
        - x-accept-content-transfer-encoding
        - x-accept-response-streaming
        - x-grpc-web
        - x-user-agent
      maxAge: 1728s
      exposeHeaders:
        - custom-header-1
        - grpc-status
        - grpc-message

Thanks in advance. I really appreciate the help.

And I can neither reach the challenge from inside the cluster or outside…

What I am most in doubt about is why the ingress address is empty?