gandi.acme.molnett.net is forbidden

[thatguyatgithub]

Out of a fresh installation closely following steps by the README, the plugin got stuck at this:

I0408 18:33:11.036144       1 dns.go:88] "presenting DNS01 challenge for domain" logger="cert-manager.challenges.Present" resource_name="wildcard-cert-1-2779278163-3683114198" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dnsName="{REQUESTED_DOMAIN_HERE}" type="DNS-01" resource_name="wildcard-cert-1-2779278163-3683114198" resource_namespace="default" resource_kind="Challenge" resource_version="v1" domain="{REQUESTED_DOMAIN_HERE}"
E0408 18:33:11.037813       1 controller.go:167] "re-queuing item due to error processing" err="gandi.acme.molnett.net is forbidden: User \"system:serviceaccount:cert-manager:cert-manager\" cannot create resource \"gandi\" in API group \"acme.molnett.net\" at the cluster scope" logger="cert-manager.challenges" key="default/wildcard-cert-1-2779278163-3683114198"

More info:

kubectl describe challenge wildcard-cert-1-UUID
Name:         wildcard-cert-1-UUID
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  acme.cert-manager.io/v1
Kind:         Challenge
Metadata:
 {...}
Spec:
  Authorization URL:  https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/egefefefefefefef
  Dns Name:           {REQUESTED_DOMAIN_HERE}
  Issuer Ref:
    Kind:  Issuer
    Name:  letsencrypt-staging
  Key:     OJOEFJEOFJEOFJEOFJEOFJEOFJEOFJEF
  Solver:
    dns01:
      Cname Strategy:  Follow
      Webhook:
        Config:
          API Key Secret Ref:
            Key:        api-token
            Name:       gandi-credentials
          Root Domain:  
        Group Name:     acme.molnett.net
        Solver Name:    gandi
  Token:                ZZZZZZZZZZ
  Type:                 DNS-01
  URL:                  https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/ZZZZZZZZ
  Wildcard:             true
Status:
  Presented:   false
  Processing:  true
  Reason:      gandi.acme.molnett.net is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "gandi" in API group "acme.molnett.net" at the cluster scope
  State:       pending
Events:
  Type     Reason        Age                  From                     Message
  ----     ------        ----                 ----                     -------
  Normal   Started       4m5s                 cert-manager-challenges  Challenge scheduled for processing
  Warning  PresentError  100s (x6 over 4m5s)  cert-manager-challenges  Error presenting challenge: gandi.acme.molnett.net is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "gandi" in API group "acme.molnett.net" at the cluster scope

[guy0090]

In case you're still having this issue, make sure you're setting groupName in the chart values and the issuer.

[goldyfruit]

In case you're still having this issue, make sure you're setting groupName in the chart values and the issuer.

This was the reason, maybe the values.yaml should be updated to reflect this change.

[bittermandel]

This should be fixed after merging #5. Thanks for notifying us!