tazjin/kubernetes-letsencrypt

403 Forbidden

Closed this issue · 1 comments

chrisabrams commented

I've confirmed the credentials file is mounted inside the pod. I have even upped the permissions of the GCP service account to editor for the whole project, just to see if that would fix the issue. That did not.

{"@timestamp":"2017-10-12T23:00:47.800+00:00","@version":1,"message":"Service gateway requesting certificates: [app.ditto.network]","logger_name":"in.tazj.k8s.letsencrypt.kubernetes.ServiceManager","thread_name":"Thread-7","level":"INFO","level_value":20000}
{"@timestamp":"2017-10-12T23:00:49.237+00:00","@version":1,"message":"Using existing ACME user: https://acme-v01.api.letsencrypt.org/acme/reg/22620325","logger_name":"in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler","thread_name":"Thread-7","level":"INFO","level_value":20000}
{"@timestamp":"2017-10-12T23:00:50.146+00:00","@version":1,"message":"Issuing new challenge for app.ditto.network","logger_name":"in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler","thread_name":"Thread-7","level":"INFO","level_value":20000}
Exception in thread "Thread-7" com.google.cloud.dns.DnsException: Forbidden
	at com.google.cloud.dns.spi.DefaultDnsRpc.translate(DefaultDnsRpc.java:183)
	at com.google.cloud.dns.spi.DefaultDnsRpc.listZones(DefaultDnsRpc.java:244)
	at com.google.cloud.dns.DnsImpl$2.call(DnsImpl.java:154)
	at com.google.cloud.dns.DnsImpl$2.call(DnsImpl.java:151)
	at com.google.cloud.RetryHelper.doRetry(RetryHelper.java:179)
	at com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:244)
	at com.google.cloud.dns.DnsImpl.listZones(DnsImpl.java:150)
	at com.google.cloud.dns.DnsImpl.listZones(DnsImpl.java:142)
	at in.tazj.k8s.letsencrypt.acme.CloudDnsResponder.fetchMatchingZones(CloudDnsResponder.kt:112)
	at in.tazj.k8s.letsencrypt.acme.CloudDnsResponder.findMatchingZone(CloudDnsResponder.kt:95)
	at in.tazj.k8s.letsencrypt.acme.CloudDnsResponder.updateCloudDnsRecord(CloudDnsResponder.kt:55)
	at in.tazj.k8s.letsencrypt.acme.CloudDnsResponder.addChallengeRecord(CloudDnsResponder.kt:26)
	at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.prepareDnsChallenge(CertificateRequestHandler.kt:176)
	at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.authorizeDomain(CertificateRequestHandler.kt:77)
	at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.access$authorizeDomain(CertificateRequestHandler.kt:27)
	at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler$requestCertificate$1.accept(CertificateRequestHandler.kt:41)
	at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler$requestCertificate$1.accept(CertificateRequestHandler.kt:27)
	at java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:184)
	at java.util.Collections$2.tryAdvance(Collections.java:4717)
	at java.util.Collections$2.forEachRemaining(Collections.java:4725)
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
	at java.util.stream.ForEachOps$ForEachTask.compute(ForEachOps.java:291)
	at java.util.concurrent.CountedCompleter.exec(CountedCompleter.java:731)
	at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
	at java.util.concurrent.ForkJoinTask.doInvoke(ForkJoinTask.java:401)
	at java.util.concurrent.ForkJoinTask.invoke(ForkJoinTask.java:734)
	at java.util.stream.ForEachOps$ForEachOp.evaluateParallel(ForEachOps.java:160)
	at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateParallel(ForEachOps.java:174)
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:233)
	at java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:418)
	at java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:583)
	at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.requestCertificate(CertificateRequestHandler.kt:41)
	at in.tazj.k8s.letsencrypt.kubernetes.ServiceManager.handleCertificateRequest(ServiceManager.kt:64)
	at in.tazj.k8s.letsencrypt.kubernetes.ServiceManager.access$handleCertificateRequest(ServiceManager.kt:20)
	at in.tazj.k8s.letsencrypt.kubernetes.ServiceManager$reconcileService$1.run(ServiceManager.kt:45)
	at java.lang.Thread.run(Thread.java:745)
Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "Forbidden",
    "reason" : "forbidden"
  } ],
  "message" : "Forbidden"
}
	at com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException.java:145)
	at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:113)
	at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:40)
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest$1.interceptResponse(AbstractGoogleClientRequest.java:321)
	at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1056)
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:419)
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:352)
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:469)
	at com.google.cloud.dns.spi.DefaultDnsRpc.listZones(DefaultDnsRpc.java:241)
	... 34 more
chrisabrams commented

Very odd, I have two certificates with the same permissions. One worked, the other didn't :O