CertManager Letsencrypt CertificateRequest "failed to perform self check GET request"

This might be worthwhile to look at. I was facing similar issue with Connection Timeout

Change LoadBalancer in ingress-nginx service.

Add/Change externalTrafficPolicy: Cluster.

Reason being, pod with the certificate-issuer wound up on a different node than the load balancer did, so it couldn’t talk to itself through the ingress.

Below is complete block taken from https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.26.1/deploy/static/provider/cloud-generic.yaml

kind: ServiceapiVersion: v1metadata:  name: ingress-nginx  namespace: ingress-nginx  labels:    app.kubernetes.io/name: ingress-nginx    app.kubernetes.io/part-of: ingress-nginxspec:  #CHANGE/ADD THIS  externalTrafficPolicy: Cluster  type: LoadBalancer  selector:    app.kubernetes.io/name: ingress-nginx    app.kubernetes.io/part-of: ingress-nginx  ports:    - name: http      port: 80      targetPort: http    - name: https      port: 443      targetPort: https---

In my case the cert-manager wanted to request the challenge via an internal ip-address.

failed to perform self check GET request 'http:///.well-known/acme-challenge/': Get http:///.well-known/acme-challenge/: dial tcp 10.67.0.8:80: connect: connection timed out

i.e. the DNS-resolution was broken. I fixed this by changing the deployment of cert-manager to accept only external DNS-servers like so

spec:  template:    spec:      dnsConfig:        nameservers:        - 8.8.8.8      dnsPolicy: None

This is how you do it. Also created an Issue so we can change that with the helm installation

I had the exact same issue it seems to be related with a bug in how Digital Ocean load balancer work. This thread lets-encrypt-certificate-issuance suggested adding the annotation service.beta.kubernetes.io/do-loadbalancer-hostname: "kube.mydomain.com" to the load balancer. In my case i did not had a yaml config file for the load balancer, I just copied the load balancer declaration from the nginx-ingress install script and applied the new configuration to the kubernetes cluster. Below is the final config for the load balancer.

apiVersion: v1kind: Servicemetadata:  annotations:    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'    # See https://github.com/digitalocean/digitalocean-cloud-controller-manager/blob/master/docs/controllers/services/examples/README.md#accessing-pods-over-a-managed-load-balancer-from-inside-the-cluster    service.beta.kubernetes.io/do-loadbalancer-hostname: "kube.mydomain.com"  labels:    helm.sh/chart: ingress-nginx-3.19.0    app.kubernetes.io/name: ingress-nginx    app.kubernetes.io/instance: ingress-nginx    app.kubernetes.io/version: 0.43.0    app.kubernetes.io/managed-by: Helm    app.kubernetes.io/component: controller  name: ingress-nginx-controller  namespace: ingress-nginxspec:  type: LoadBalancer  externalTrafficPolicy: Local  ports:    - name: http      port: 80      protocol: TCP      targetPort: http    - name: https      port: 443      protocol: TCP      targetPort: https  selector:    app.kubernetes.io/name: ingress-nginx    app.kubernetes.io/instance: ingress-nginx    app.kubernetes.io/component: controller