404 - This service does not exist

[m4dm4rtig4n]

Hello,

Since few minutes i have this error :
OVH API call failed: GET /domain/zone/fr/status - Error 404: "This service does not exist"

Any idea why ?

[m4dm4rtig4n]

I have reset cert-manager namespace and now i have this error message :
GET /domain/zone/fr/status - Error 400: "Invalid signature"

[m4dm4rtig4n]

I don't understand why he is trying to make an API call with /domain/zone/fr/status
instead of my full domain /domain/zone/mydomain.fr/status :/

[lambda2]

Hello, I've the same problem

[m4dm4rtig4n]

@lambda2 The "Error 400: "Invalid signature"" is linked to an authentication (or right) problem.
Personally, I solved the problem, but now I have recovered the 404.

Which is not an error in itself given that the API does return a 404 on the "/domain/zone/fr/status" calls.
Now, I would like to understand why cert-manager call on "/domain/zone/fr/status" instead of "/domain/zone/mydomain.fr/status"

Any Idea @baarde ?

[lambda2]

@m4dm4rtig4n I still have the 404 issue, I didn't managed to pass to the 400 one 😁

In my case, the error is OVH API call failed: GET /domain/zone/com/status - Error 404: "This service does not exist" instead of your GET /domain/zone/fr/status. Since my domain ends with a .com, I suppose it's a parsing/basename issue on the FQDN. Reseting the cert-manager namespace didn't solved the issue

[m4dm4rtig4n]

The 404 error is rather an evolution compared to the 400 (authentication problem) in you is good (well like me)
Now we have to find out why the FQDN is not parsed correctly: /

[m4dm4rtig4n]

@lambda2 I have post directly on cert-manager repository :
cert-manager/cert-manager#4651

[m4dm4rtig4n]

In fact the problem does not come from the OVH webhook, I have the same problem in HTTP-01 challenge
Waiting for HTTP-01 challenge propagation: wrong status code '404', expected '200'

[lambda2]

Oh, interesting !

[m4dm4rtig4n]

@lambda2
Well fed up with OVH, I switched my DNS management to CloudFlare and used the native mode of cert-manager
Bye bye the OVH webhook

[eburghar]

I can confirm the bug. cerbot generated the certificate correctly from the DNS01 challenge, so I'll manually insert the TLS secret into kubernetes for now.

Somehow the ResolvedFQDN field of the ChallengeRequest received by the webhook service seems incomplete (it only get the last part). Something has changed on OVH side because nor certmanager, nor the webhook changed in my setup and last renewal was successful.

[eburghar]

I finally took some time to track down the issue before the expiration of all my certificiates. This was a dns configuration error on my side. For those who also use opnsense with unbound dns and a local zone with the same name than the remote (ovh) zone, be sure to select typetransparent as the local zone type. (Unbound NS/SOA records for private domains)

The symptom is that when you do

dig soa your.domain

You receive an empty response. That's why the last domain component was used as the ovh zone