Why doesn't my Let's Encrypt HTTP-01 Challenge work on bare-metal, but it works on Google Cloud?

[EliasDeHondt]

Can anyone help me figure out what might be going wrong? I can access the service, and Cert Manager's validation checks work without any issues when accessed via my browser. This suggests that the temporary ingress servers for validation are correctly configured. Interestingly, everything works perfectly in Google Cloud, but on bare metal, it doesn’t. Does anyone have any insights into this?

• DNS configuration: OK
• Metallb configuration: OK

cert-manager/cert-manager#7519

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    #server: https://acme-v02.api.letsencrypt.org/directory
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: [email protected] # Not the email address I use :)
    privateKeySecretRef:
      name: letsencrypt-prod-key
    solvers:
      - http01:
          ingress:
            class: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
    nginx.ingress.kubernetes.io/ssl-redirect: "false" # Redirect HTTP to HTTPS
spec:
  ingressClassName: nginx
  tls:
    - hosts:
      - eliasdh.com
      secretName: eliasdh-tls
    - hosts:
      - www.eliasdh.com
      secretName: wwweliasdh-tls
  rules:
    - host: eliasdh.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: webserver001-service
                port:
                  number: 80
    - host: www.eliasdh.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: webserver001-service
                port:
                  number: 80
---
apiVersion: v1
kind: Service
metadata:
  name: webserver001-service
spec:
  selector:
    app: webserver001
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: webserver001-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: webserver001
  template:
    metadata:
      labels:
        app: webserver001
    spec:
      containers:
        - name: webserver001-container
          image: "ghcr.io/eliasdh-com/eliasdhcom-frontend:latest"
          ports:
          - containerPort: 8080
          resources:
            requests:
              memory: "64Mi"
              cpu: "250m"
            limits:
              memory: "128Mi"
              cpu: "500m"
---

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[longwuyuan]

You have posted some selected info as per your opinion but what is required is the answer to the questions asked in a new issue template.

Without data, the comments, if any, will be based on guess work. The project does not have a action item here as there is no reproducible problem with the ingress-nginx controller being described, so maybe provide info or ask in metallb/cert-manager forums.