Problem installing Issuer (cert-manager) inside GKE cluster tls: failed to verify certificate: x509: certificate signed by unknown authority

Question

I have a problem during the installation of an Issuer inside GKE. I follow this guide https://cert-manager.io/docs/tutorials/acme/nginx-ingress/#step-5---deploy-cert-manager.

My steps were:

1. Creation of an autopilot cluster via Google Cloud Console
2. Install nginx ingress controller via helm (https://cert-manager.io/docs/tutorials/acme/nginx-ingress/#step-2---deploy-the-nginx-ingress-controller)
3. I read the EXTERNAL IP from the service "quickstart-ingress-nginx-controller"
4. I put the IP on the A record, inside the DNS Zone of my domain (bought via register.it)
5. I successfully deployed the kuard deployment, service and ingress

After this I try to install cert-manager in two ways:

1. The first way was with helm following this guide, but I received the error: Error: INSTALLATION FAILED: failed post-install: timed out waiting for the condition
2. I try install cert-manager via kubectl using this guide kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml and everything was okay

After all that I create the file issuer.yaml

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [email protected]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging
    # Enable the HTTP-01 challenge provider
    solvers:
      - http01:
          ingress:
            ingressClassName: nginx

and run kubectl apply -f issuer.yaml and receive the following error:

Error from server (InternalError): error when creating "issuer.yaml":
Internal error occurred: failed calling webhook "webhook.cert-manager.io":
failed to call webhook: Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s":
tls: failed to verify certificate: x509: certificate signed by unknown authority

I follow the guide step-by-step, am I missing something?

EDIT 27/11/2023

I create a non autopilot cluster on GKE and everything seems works ok, the problem is that I need an autopilot cluster and not a classical one.

Answer 1

Finally I found that the problem was the autopilot-cluster, for a mechanism that I don't know, the nginx-controller, plus cert-manager with let's encrypt and the autopilot cluster not work together.

I create an autopilot cluster, a GCE ingress and for the certificate now I'm using a managed-cert created by google

Answer 2

This is due to the API server being unable to verify the authenticity of the cert-manager webhook's certificate.

If your cert-manager webhook is using a self-signed certificate, add the certificate to the API server's trusted CA bundle. You can also obtain a certificate from a trusted CA and configure the cert-manager webhook to use the new certificate.

Make sure also that the cert-manager webhook is running and that the port 443 is open on the pod. kubectl get pods -n cert-manager

For additional info, see document 1 & document 2.