Having the following k8s config:
---
kind: Namespace
apiVersion: v1
metadata:
name: test
labels:
name: test
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: test
name: test-depl
spec:
selector:
matchLabels:
app: test-app
template:
metadata:
labels:
app: test-app
spec:
containers:
- name: test-app
image: jfsanchez91/http-test-server
---
apiVersion: v1
kind: Service
metadata:
namespace: test
name: test-svc
spec:
selector:
app: test-app
ports:
- name: test-app
protocol: TCP
port: 80
targetPort: 8090
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
namespace: test
name: letsencrypt-cert-issuer-test-staging
spec:
acme:
email: email#example.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-cert-issuer-test-staging
solvers:
- http01:
ingress:
class: public
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
namespace: test
name: letsencrypt-cert-issuer-test-prod
spec:
acme:
email: email#example.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-cert-issuer-test-prod
solvers:
- http01:
ingress:
class: public
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: test
name: ingress-routes
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-cert-issuer-test-prod"
spec:
tls:
- hosts:
- test.example.com
secretName: tls-secret
rules:
- host: test.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: test-svc
port:
number: 80
The Let's Encrypt certificate is being issued and stored in tls-secret correctly.
But then when I try to open test.example.com I get an invalid certificate (the K8s default certificate) NET::ERR_CERT_AUTHORITY_INVALID.
Common Name (CN): Kubernetes Ingress Controller Fake Certificate
Organization (O): Acme Co
Q: How can I configure Ingress correctly to use the Let's Encrypt certificate?
Q: Is there anything else I should configure?
UPDATE: tls-secret type (kubernetes.io/tls):
$ kubectl -n test describe secrets tls-secret
Name: tls-secret
Namespace: test
Labels: <none>
Annotations: cert-manager.io/alt-names: test.example.com
cert-manager.io/certificate-name: tls-secret
cert-manager.io/common-name: test.example.com
cert-manager.io/ip-sans:
cert-manager.io/issuer-group: cert-manager.io
cert-manager.io/issuer-kind: ClusterIssuer
cert-manager.io/issuer-name: letsencrypt-cert-issuer-test-prod
cert-manager.io/uri-sans:
Type: kubernetes.io/tls
Data
====
tls.key: 1679 bytes
tls.crt: 5599 bytes
I'd recommand setting the certificate your self in order to have more control on subdomains to include and renewal policy
kubectl -n $NAMESPACE apply -f certificate.yaml
For example, for a DNS hosted on Azure DNS zone
#certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cert-wildcard
spec:
duration: 2160h # 90d
renewBefore: 360h # 15d
secretName: cert-wildcard
issuerRef: #from issuer.yaml
name: letsencrypt-prod
kind: ClusterIssuer
commonName: domain.com # go to domaine, go to certificate, go to Details, go to Common Name
dnsNames: #list of all different domains associeted with the certificate
- domain.com
- sub.domain.com
acme:
config:
- dns01:
provider: azure-dns
domains:
- domain.com
- sub.domain.com
Related
I don't undestand why i can't get certificates on K8S using cert-manager
I installed cert-manager : https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.crds.yaml
I created ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: user#example.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: example-issuer-account-key
solvers:
- http01:
ingress:
class: nginx
I created ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-staging
spec:
rules:
- host: mytest.example.fr
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: webapp
port:
number: 80
tls:
- hosts:
- mytest.example.fr
secretName: letsencrypt-staging
But when i try to get an certificate i get 'no resources found'
Any idea ?
Thank you for your help
If you don't want to create kind certificate you can use
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: cluster-issuer-name
namespace: development
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: harsh#example.com
privateKeySecretRef:
name: secret-name
solvers:
- http01:
ingress:
class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-class-name
cert-manager.io/cluster-issuer: cluster-issuer-name
nginx.ingress.kubernetes.io/rewrite-target: /
name: example-ingress
spec:
rules:
- host: sub.example.com
http:
.
. #Path and service configs
.
.
tls:
- hosts:
- sub.example.com
secretName: secret-name
ingress will call clusterisser and it will auto-create certificate for you.
Update ingress resources as per need if you are higher version 1.18 or above
Notes
Make sure you are using the URL https://acme-v02.api.letsencrypt.org/directory in clusterissue or else you will get fake certificate in browser.
For refrence you can read more here :
https://stackoverflow.com/a/55183209/5525824
Make sure also you ingress pointing to proper clusterissuer if
you have created new.
Also don't use same privateKeySecretRef:name: secret-name you
need to delete it or use the new name as fake certificate
now stored in that secret so.
Certificates are not created automatically by cert-manager.
You have to create a YAML yourself. And use the issuer name that you have already created
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-certificate
namespace: default
spec:
secretName: set-a-new-name-here
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
commonName: mytest.example.fr
dnsNames:
- mytest.example.fr
I followed this tutorial to serve a basic application using the NGINX Ingrss Controller, and cert-manager with letsencrypt.
I am able to visit the website, but the SSL certificate is broken, saying Issued By: (STAGING) Artificial Apricot R3.
This is my ClusterIssuer:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-issuer
namespace: cert-manager
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: my-email#example.com
privateKeySecretRef:
name: letsencrypt-issuer
solvers:
- http01:
ingress:
class: nginx
And the Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app-ingress-dev
namespace: my-app
annotations:
cert-manager.io/cluster-issuer: letsencrypt-issuer
spec:
tls:
- secretName: echo-tls
hosts:
- my-app.example.com
rules:
- host: my-app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app-dev
port:
number: 80
LetsEncrypt staging is for testing, and does not issue certificates that are trusted by browsers. Use the production LE URL instead https://acme-v02.api.letsencrypt.org/directory
I am attempting to get cert-manager working with Let's Encrypt and I am running into some interesting errors, such as cert-manager not being able to access resources. I am also seeing two certificates and two certificaterequests when I would only expect one. I've attached some pictures of logging and output from the certs and cert requests. I've tried quite a few adjustments but I seem to be spinning my wheels. Any help is greatly appreciated!
---
kind: Secret
apiVersion: v1
metadata:
name: coreyperkinsdev-production-clusterissuer-acme
namespace: default
data:
coreyperkinsdevacmedns.json: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdEx3U3hZcVRzTWpuejZrVytUWVl5cDh1cFRaZkFWc1U1bGQvZzE4aXJ6T1pwaEZyCkRwdnJ5TkhLam9CMWJ2TjNtdDM0VkxWK2JQM3NHZEJCSW83MEVoTzl3VS83TVRDZVJScGtISmlCYzc3dUJRUGgKTjVaalZUM0lEOEIyUzZTOWFONWVMNUhaWHYrbExhd0pjUEdVYUtlcVpmVG1XTVVHOFFHTTJtK1pJWGNNY1dyUwpRZ1hSSnM5anUzQndsWGZGR1hOeGJ6SnlyL3ZKZkwrVkU4Y09YN1h0WlBtQ3BjWEd2TVUzQ3BuaTJJYTJiUmxJClFvb0w3N2I4SWJDTm12VVM3Y3U3c2J3cTRVbUJUaWRUYVU3UFRtQjJuMXZRTm9uZjllRVRkSDkwYkpURFFadDQKRURaa0kzeU1QbXl5NU5tV3poOEViVGFSQ2VjU05PM2ZkSHNQQndJREFRQUJBb0lCQUZ6T2VzRXZjTG1GNE90VQpnN1NDMytZa0tYcXkyY1JEZGc3MS9VZURjYmNQd3lWd3FrMjlLUzFjOVN1SnNVUEJCN2pocEtReThuR2JUa0xQCkdyTlpQdUdOZTVJcHRPNUViZkZFSlFZK0ZiTk81c0J5aHBMWnliWTYzR0dpVGR4NEFyODMrSnRxeEhrd3d5d1oKdkZ0ZjRmcC9wbE5tbDJZYi9uMkJjMGV6cUtseXNHbzZDL3IxdmRZZ0RqTEtzT1I0MTF4WS8rN0xuS2JBQWpVcApoQTRseG5LaFpjMzZONmFjQVowdGZPL1FzcXpqNWRsQTduMlgvQ1lSRkxXdjZML09PdHZlWlZCeGtqT0xQL3hxClhKZXJjSE0vMmN2YVZtbzVTM2ltRlNWNkxKeEF4UW10T1E4NUdTVHRXMWVIQUsrQldXL000eHdUM0NPcUx1aDIKSXdQcUlha0NnWUVBMWRxRkc5N3NQZE80bUFPdUcyWUJ5VkpnWXhrYzBvK0trTm1ITXc4YkJDanpZdXJDaTVFUAptZkFJV25DYUxQaSsrSE9FbXF3M0RVY1lMOFVWcHJkMkpBVG96VVFWcXBJbHUzQ3RzenVicGF6Rk9pUVBRVHZwCnp1dmNEMFpHeStsNE9OK2lYdllQQVBzbGQreHYzcFQxOWRsWFBVRGJYUHNvRXFsZ0V3bDNsN1VDZ1lFQTJGcWQKbExJSVlwWlVIUjFJbTI5c1J6Y2RyRjNjd21pd1lnVEVmT09QVVpwY05TVnkvc1hmOFkveEFkWHo2bkVsaGhXMApxUGtzbHJjdm9XM29DcXF4dElwQ3JCcUxWTjg4azFHZjNjUFRJR1FkeDh5ajVKdDJtbFRpU3Eyc3kxMUpUa3FPCmVzdk0wS1ZJT0lQMm11dXVaeFNpNEgxakE1Nlp2QXI2cnFMVFNVc0NnWUEwaVM1U0huMmk0clJpZytUdHppMTYKSzhhS0VjMUczUVNKZVNjQm9DQmU4VUI1ZUhxNmxyUmllTmxVZm4waHR5b1RGeTNvWVk1VXNMWjhaY3BmM29vagpaeUZaNi9QMnAxaWxwNVRFaDB4QmN5UXdtRk0zRDJUczlIeG5ORGlJTjU3Vk9mdEZvT1VtdEl3TDNnWE5oSUs0CkZ1Q2JwNmM4UEdjbnpueFBzTyswVVFLQmdISE0rQ1pHbnZKOGNESUFQVGpGR3djNmpua2p4Z0xjWGlxd3AwbXAKeUxEN3FKU3I1aGpzckNhN3QrRm5VSzE0Wm14bzdtWVM2c2s4QWVtL2pkWk9ncnFjSHdXMzBLSUw2aWp6UGt1Lwp2VVhFWTRXOHRsaUJEWm1RSEpkN1V2Q0ZXUkc5VmNSeGZvSWc3aVFNQmFMblpRMERaY2ovS3gyMFJ0a0tUV0dlCmM5U1JBb0dCQUpZY1hpU3RRNkVyM0xqeit2TTUzN05NdENIVFdBZ05yZzM0ZWdYMzJyZVZZdkd5amhKYk1yaEwKSkxxT0U5NmE3OUJZbDRyZERoNUliL1psUmhOUUpleENrRVFLUm12QmkwVHFUZ21EZmhxa3plOVRKTllRbndBRApHMU5xL0VaN2RCQ3gvcmlhbTRxUktxc0FwWDhWcjc3NGFKSCsvcFBuZ0xucHI3emFib0hyCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdEx3U3hZcVRzTWpuejZrVytUWVl5cDh1cFRaZkFWc1U1bGQvZzE4aXJ6T1pwaEZyCkRwdnJ5TkhLam9CMWJ2TjNtdDM0VkxWK2JQM3NHZEJCSW83MEVoTzl3VS83TVRDZVJScGtISmlCYzc3dUJRUGgKTjVaalZUM0lEOEIyUzZTOWFONWVMNUhaWHYrbExhd0pjUEdVYUtlcVpmVG1XTVVHOFFHTTJtK1pJWGNNY1dyUwpRZ1hSSnM5anUzQndsWGZGR1hOeGJ6SnlyL3ZKZkwrVkU4Y09YN1h0WlBtQ3BjWEd2TVUzQ3BuaTJJYTJiUmxJClFvb0w3N2I4SWJDTm12VVM3Y3U3c2J3cTRVbUJUaWRUYVU3UFRtQjJuMXZRTm9uZjllRVRkSDkwYkpURFFadDQKRURaa0kzeU1QbXl5NU5tV3poOEViVGFSQ2VjU05PM2ZkSHNQQndJREFRQUJBb0lCQUZ6T2VzRXZjTG1GNE90VQpnN1NDMytZa0tYcXkyY1JEZGc3MS9VZURjYmNQd3lWd3FrMjlLUzFjOVN1SnNVUEJCN2pocEtReThuR2JUa0xQCkdyTlpQdUdOZTVJcHRPNUViZkZFSlFZK0ZiTk81c0J5aHBMWnliWTYzR0dpVGR4NEFyODMrSnRxeEhrd3d5d1oKdkZ0ZjRmcC9wbE5tbDJZYi9uMkJjMGV6cUtseXNHbzZDL3IxdmRZZ0RqTEtzT1I0MTF4WS8rN0xuS2JBQWpVcApoQTRseG5LaFpjMzZONmFjQVowdGZPL1FzcXpqNWRsQTduMlgvQ1lSRkxXdjZML09PdHZlWlZCeGtqT0xQL3hxClhKZXJjSE0vMmN2YVZtbzVTM2ltRlNWNkxKeEF4UW10T1E4NUdTVHRXMWVIQUsrQldXL000eHdUM0NPcUx1aDIKSXdQcUlha0NnWUVBMWRxRkc5N3NQZE80bUFPdUcyWUJ5VkpnWXhrYzBvK0trTm1ITXc4YkJDanpZdXJDaTVFUAptZkFJV25DYUxQaSsrSE9FbXF3M0RVY1lMOFVWcHJkMkpBVG96VVFWcXBJbHUzQ3RzenVicGF6Rk9pUVBRVHZwCnp1dmNEMFpHeStsNE9OK2lYdllQQVBzbGQreHYzcFQxOWRsWFBVRGJYUHNvRXFsZ0V3bDNsN1VDZ1lFQTJGcWQKbExJSVlwWlVIUjFJbTI5c1J6Y2RyRjNjd21pd1lnVEVmT09QVVpwY05TVnkvc1hmOFkveEFkWHo2bkVsaGhXMApxUGtzbHJjdm9XM29DcXF4dElwQ3JCcUxWTjg4azFHZjNjUFRJR1FkeDh5ajVKdDJtbFRpU3Eyc3kxMUpUa3FPCmVzdk0wS1ZJT0lQMm11dXVaeFNpNEgxakE1Nlp2QXI2cnFMVFNVc0NnWUEwaVM1U0huMmk0clJpZytUdHppMTYKSzhhS0VjMUczUVNKZVNjQm9DQmU4VUI1ZUhxNmxyUmllTmxVZm4waHR5b1RGeTNvWVk1VXNMWjhaY3BmM29vagpaeUZaNi9QMnAxaWxwNVRFaDB4QmN5UXdtRk0zRDJUczlIeG5ORGlJTjU3Vk9mdEZvT1VtdEl3TDNnWE5oSUs0CkZ1Q2JwNmM4UEdjbnpueFBzTyswVVFLQmdISE0rQ1pHbnZKOGNESUFQVGpGR3djNmpua2p4Z0xjWGlxd3AwbXAKeUxEN3FKU3I1aGpzckNhN3QrRm5VSzE0Wm14bzdtWVM2c2s4QWVtL2pkWk9ncnFjSHdXMzBLSUw2aWp6UGt1Lwp2VVhFWTRXOHRsaUJEWm1RSEpkN1V2Q0ZXUkc5VmNSeGZvSWc3aVFNQmFMblpRMERaY2ovS3gyMFJ0a0tUV0dlCmM5U1JBb0dCQUpZY1hpU3RRNkVyM0xqeit2TTUzN05NdENIVFdBZ05yZzM0ZWdYMzJyZVZZdkd5amhKYk1yaEwKSkxxT0U5NmE3OUJZbDRyZERoNUliL1psUmhOUUpleENrRVFLUm12QmkwVHFUZ21EZmhxa3plOVRKTllRbndBRApHMU5xL0VaN2RCQ3gvcmlhbTRxUktxc0FwWDhWcjc3NGFKSCsvcFBuZ0xucHI3emFib0hyCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: coreyperkins-deployment
labels:
version: v1
spec:
replicas: 3
selector:
matchLabels:
app: coreyperkins-frontend
version: v1
template:
metadata:
labels:
app: coreyperkins-frontend
version: v1
spec:
containers:
- name: coreyperkins-frontend
image: coreyperkinsdev.azurecr.io/www:52
resources:
requests:
cpu: "100m"
imagePullPolicy: Always
ports:
- containerPort: 80
imagePullSecrets:
- name: coreyperkinsdev-acr-secret
---
apiVersion: v1
kind: Service
metadata:
name: coreyperkins-service
labels:
app: coreyperkins-frontend
spec:
ports:
- protocol: TCP
port: 5000
targetPort: 80
name: http
selector:
app: coreyperkins-frontend
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: coreyperkinsdev-production-clusterissuer
namespace: cert-manager
spec:
acme:
email: corey.perkins#gmail.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: coreyperkinsdev-production-clusterissuer-acme
solvers:
- dns01:
acmedns:
host: https://acme-staging-v02.api.letsencrypt.org/directory
accountSecretRef:
name: coreyperkinsdev-production-clusterissuer-acme
key: coreyperkinsdevacmedns.json
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: coreyperkinsdev-production-certificate
namespace: cert-manager
spec:
secretName: coreyperkinsdev-production-clusterissuer-acme
issuerRef:
name: coreyperkinsdev-production-clusterissuer
kind: ClusterIssuer
commonName: coreyperkins.dev
dnsNames:
- coreyperkins.dev
- '*.coreyperkins.dev'
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: coreyperkinsdev-ingress
namespace: default
annotations:
cert-manager.io/cluster-issuer: coreyperkinsdev-production-clusterissuer
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
tls:
- hosts:
- coreyperkins.dev
- '*.coreyperkins.dev'
secretName: coreyperkinsdev-production-clusterissuer-acme
rules:
- host: www.coreyperkins.dev
- http:
paths:
- path: /?(.*)
backend:
serviceName: coreyperkins-service
servicePort: 5000
---
kind: ConfigMap
apiVersion: v1
metadata:
name: coreyperkinsdev-ng-cm
data:
http-snippet: |
types {
module;
}
---
I have created a staging environment with cert-manager as the following:
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: stage#example.io
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: privateKeySecretRef
solvers:
- dns01:
digitalocean:
tokenSecretRef:
name: digitalocean-dns
key: access-token
selector:
dnsNames:
- "*.dev.svc.databaker.io"
- "*.stage.svc.databaker.io"
---
and have created a certifcate for the wildcard domain *.dev.svc.databaker.io:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: dev-cert-staging
namespace: dev
spec:
secretName: secretName
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
commonName: "*.dev.svc.databaker.io"
dnsNames:
- "*.dev.svc.databaker.io"
at the end, an ingress object:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
name: dashboard
namespace: dev
spec:
rules:
- host: dashboard.dev.svc.databaker.io
http:
paths:
- backend:
serviceName: dashboard
servicePort: 80
path: /
tls:
- hosts:
- '*.dev.svc.databaker.io'
secretName: secretName
When I call the page https://dashboard.dev.svc.databaker.io/, it shows me:
The question is, if it is right, that it shows an invalid certificate?
It's right, staging is for testing certificate creation and has a very high limit on certificate issues.
Use production cert-issuer for even your dev environments but it's limited so make sure you're not spamming certs.
I'm trying to get cert-manager and letsencrypt working for a wildcard domain. I've pointed the wildcard A host to the load balancer IP (GKE). Here is the secret and issuer:
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-key
namespace: cert-manager
type: Opaque
data:
apikey: BASE_64_ENCODED_API_KEY
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: EMAIL
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
cloudflare:
email: EMAIL
apiKeySecretRef:
name: cloudflare-api-key
key: apikey
and here is my ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: apps-ingress
annotations:
kubernetes.io/ingress.class: nginx
certmanager.k8s.io/cluster-issuer: letsencrypt-staging
spec:
tls:
- hosts:
- "*.sampledomain.com"
secretName: letsencrypt-staging
rules:
- host: phpmyadmin.sampledomain.com
http:
paths:
- backend:
serviceName: phpmyadmin
servicePort: 8081
The events are stuck at 'OrderCreated'. On checking the logs:
E0817 08:42:45.872348 1 base_controller.go:189] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="Cloudflare API Error \n\t Error: 9103: Unknown X-Auth-Key or X-Auth-Email" "key"="default/letsencrypt-staging-3055668421-0"
There was a typo in my email address :|