Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error presenting challenge - Forbidden #64

Open
fmendez89 opened this issue Nov 18, 2021 · 3 comments
Open

Error presenting challenge - Forbidden #64

fmendez89 opened this issue Nov 18, 2021 · 3 comments

Comments

@fmendez89
Copy link

Hi,
I'm getting this error on the Challenge object

Error presenting challenge: hetzner.acme.example.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "hetzner" in API group "acme.example.com" at the cluster scope

Am I missing something about permissions?

The configuration is this below:

apiVersion: v1
kind: Secret
metadata:
  name: hetzner-secret-app
type: Opaque
data:
  api-key: XXXXXXXBASE64XXXXX=
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging-app
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-staging-app
    solvers:
      - dns01:
          webhook:
            groupName: acme.example.com
            solverName: hetzner
            config:
              secretName: hetzner-secret-app
              zoneName: example.com.
              apiUrl: https://dns.hetzner.com/api/v1
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cert-staging
  namespace: cert-manager
spec:
  commonName: example.com
  dnsNames:
    - example.com
  issuerRef:
    name: letsencrypt-staging-app
    kind: ClusterIssuer
  secretName: cert-staging

@deyaeddin
Copy link
Owner

Hi @fmendez89
You can not use example.com, you need to use a real domain record.

@fmendez89
Copy link
Author

I'm using my current domain, that was just for masquing the real one.

Probably I will try again because I solved a problem I had with the CNI.

@3deep5me
Copy link

same issue here:

  Warning  PresentError  15s (x3 over 20s)  cert-manager-challenges  Error presenting challenge: unable to get secret `cert-manager`; unable to get secret `dns-config/cert-manager`; secrets "dns-config" is forbidden: User "system:serviceaccount:cert-manager:cert-manager-cert-manager-webhook-hetzner" cannot get resource "secrets" in API group "" in the namespace "cert-manager"

can-i test:

$ kubectl auth can-i get secrets --as=system:serviceaccount:cert-manager:cert-manager-cer
t-manager-webhook-hetzner
no

Could there something be wrong with the template rendering?
Are you open for a PR? Then i would investigate more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants