You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, we automatically redirect from port 80 to 443. That causes HTTP01 cert-manager challenges to fail if client CA is configured.
This is unfortunately non trivial to change, as all routes are configured in listener on port 443, while port 80 is doing just redirects.
unfortunately there's no way to disable client cert request just for the HTTP01 challenges as this is configured per port (443) and as such, HTTP01 challenges are fundamentally incompatible with mTLS. You have to use a different cert-manager Issuer challenge type, such as DNS.
Wouldn't it be possible to disable the https redirect on port 80 for the ACME challenge routes? That way we circumvent the problem entirely.
EDIT: Background info: Let's Encrypt verifies the challenges using plaintext requests but follows redirects.
Currently, we automatically redirect from port 80 to 443. That causes HTTP01 cert-manager challenges to fail if client CA is configured.
This is unfortunately non trivial to change, as all routes are configured in listener on port 443, while port 80 is doing just redirects.
Wouldn't it be possible to disable the https redirect on port 80 for the ACME challenge routes? That way we circumvent the problem entirely.
EDIT: Background info: Let's Encrypt verifies the challenges using plaintext requests but follows redirects.
Originally posted by @andsens in #697 (comment)
The text was updated successfully, but these errors were encountered: