403 Forbidden
Closed this issue · 1 comments
chrisabrams commented
I've confirmed the credentials file is mounted inside the pod. I have even upped the permissions of the GCP service account to editor for the whole project, just to see if that would fix the issue. That did not.
{"@timestamp":"2017-10-12T23:00:47.800+00:00","@version":1,"message":"Service gateway requesting certificates: [app.ditto.network]","logger_name":"in.tazj.k8s.letsencrypt.kubernetes.ServiceManager","thread_name":"Thread-7","level":"INFO","level_value":20000}
{"@timestamp":"2017-10-12T23:00:49.237+00:00","@version":1,"message":"Using existing ACME user: https://acme-v01.api.letsencrypt.org/acme/reg/22620325","logger_name":"in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler","thread_name":"Thread-7","level":"INFO","level_value":20000}
{"@timestamp":"2017-10-12T23:00:50.146+00:00","@version":1,"message":"Issuing new challenge for app.ditto.network","logger_name":"in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler","thread_name":"Thread-7","level":"INFO","level_value":20000}
Exception in thread "Thread-7" com.google.cloud.dns.DnsException: Forbidden
at com.google.cloud.dns.spi.DefaultDnsRpc.translate(DefaultDnsRpc.java:183)
at com.google.cloud.dns.spi.DefaultDnsRpc.listZones(DefaultDnsRpc.java:244)
at com.google.cloud.dns.DnsImpl$2.call(DnsImpl.java:154)
at com.google.cloud.dns.DnsImpl$2.call(DnsImpl.java:151)
at com.google.cloud.RetryHelper.doRetry(RetryHelper.java:179)
at com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:244)
at com.google.cloud.dns.DnsImpl.listZones(DnsImpl.java:150)
at com.google.cloud.dns.DnsImpl.listZones(DnsImpl.java:142)
at in.tazj.k8s.letsencrypt.acme.CloudDnsResponder.fetchMatchingZones(CloudDnsResponder.kt:112)
at in.tazj.k8s.letsencrypt.acme.CloudDnsResponder.findMatchingZone(CloudDnsResponder.kt:95)
at in.tazj.k8s.letsencrypt.acme.CloudDnsResponder.updateCloudDnsRecord(CloudDnsResponder.kt:55)
at in.tazj.k8s.letsencrypt.acme.CloudDnsResponder.addChallengeRecord(CloudDnsResponder.kt:26)
at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.prepareDnsChallenge(CertificateRequestHandler.kt:176)
at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.authorizeDomain(CertificateRequestHandler.kt:77)
at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.access$authorizeDomain(CertificateRequestHandler.kt:27)
at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler$requestCertificate$1.accept(CertificateRequestHandler.kt:41)
at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler$requestCertificate$1.accept(CertificateRequestHandler.kt:27)
at java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:184)
at java.util.Collections$2.tryAdvance(Collections.java:4717)
at java.util.Collections$2.forEachRemaining(Collections.java:4725)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
at java.util.stream.ForEachOps$ForEachTask.compute(ForEachOps.java:291)
at java.util.concurrent.CountedCompleter.exec(CountedCompleter.java:731)
at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
at java.util.concurrent.ForkJoinTask.doInvoke(ForkJoinTask.java:401)
at java.util.concurrent.ForkJoinTask.invoke(ForkJoinTask.java:734)
at java.util.stream.ForEachOps$ForEachOp.evaluateParallel(ForEachOps.java:160)
at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateParallel(ForEachOps.java:174)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:233)
at java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:418)
at java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:583)
at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.requestCertificate(CertificateRequestHandler.kt:41)
at in.tazj.k8s.letsencrypt.kubernetes.ServiceManager.handleCertificateRequest(ServiceManager.kt:64)
at in.tazj.k8s.letsencrypt.kubernetes.ServiceManager.access$handleCertificateRequest(ServiceManager.kt:20)
at in.tazj.k8s.letsencrypt.kubernetes.ServiceManager$reconcileService$1.run(ServiceManager.kt:45)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "Forbidden",
"reason" : "forbidden"
} ],
"message" : "Forbidden"
}
at com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException.java:145)
at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:113)
at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:40)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest$1.interceptResponse(AbstractGoogleClientRequest.java:321)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1056)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:419)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:352)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:469)
at com.google.cloud.dns.spi.DefaultDnsRpc.listZones(DefaultDnsRpc.java:241)
... 34 more
chrisabrams commented
Very odd, I have two certificates with the same permissions. One worked, the other didn't :O