I'm attempting to use an ingressroute with a certificate from cert-manager, requested through an HTTP-01 challenge.
However, cert-manager is unable to complete the challenge. Traefik does not return keys when requesting /.well-known/acme-challenge/<key>, it instead just passes the request along to the service of the ingressroute.
This might seem like a cert-manager issue, but as cert-manager itself works and traefik is not allowing cert-manager to "intercept" the /.well-known/ requests, I feel like I'm misconfiguring something on the traefik side of things.
What am I doing wrong?
Relevant cert-manager logs:
"msg"="propagation check failed" "error"="did not get expected response when querying endpoint, expected \"<key>\" but got: Hostname: whoami-5f5c8f8... (truncated)" "dnsName"="domain.tld" "resource_kind"="Challenge" "resource_name"="domain.tld-fp6zf-278830947-122497719" "resource_namespace"="default" "resource_version"="v1" "type"="HTTP-01"
Ingressroute:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: wordpress-ingressroute
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik-ingress
spec:
entryPoints:
- websecure #port 443
- web #port 80
routes:
- match: Host(`domain.tld`) || Host(`www.domain.tld`)
kind: Rule
services:
- name: whoami
port: 80
namespace: default
Certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: domain.tld
namespace: default
spec:
dnsNames:
- 'odmain.tld'
- 'www.domain.tld'
secretName: domain.tld
issuerRef:
name: http-challenge
kind: ClusterIssuer
ClusterIssuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: http-challenge
spec:
acme:
email: letsencrypt@email.tld
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: http-challenge-private-key
solvers:
- http01:
ingress:
class: traefik-ingress
selector: {}