Unable to configure cert-manager. Wrong status code '403', expected '200'

Question

I', trying to configure a cert-manager in a Baremetal server. I followed this link & this one

the k describe challenge my-domain.com-xqwh4-4005106243-2059835058

get

Status:
  Presented:   true
  Processing:  true
  Reason:      Waiting for HTTP-01 challenge propagation: wrong status code '403', expected '200'
  State:       pending
Events:
  Type    Reason     Age    From          Message
  ----    ------     ----   ----          -------
  Normal  Started    2m27s  cert-manager  Challenge scheduled for processing
  Normal  Presented  2m26s  cert-manager  Presented challenge using HTTP-01 challenge mechanism

the k describe order my-domain.com-xqwh4-4005106243 has State: pending

the k describe certificate my-domain.com

Status:
  Conditions:
    Last Transition Time:        2021-10-11T01:30:50Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      False
    Type:                        Ready
    Last Transition Time:        2021-10-11T01:30:50Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      True
    Type:                        Issuing

If a call directly the http://my-domain.com/.well-known/acme-challenge/xxx-xxx-xx-NSMHzTtTCneahED5Ns7HpTfABow it works well

Any idea how to troubleshoot it? I tried all the things from https://cert-manager.io/docs/faq/troubleshooting/

the cert ingress

kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: cm-acme-http-solver-plvqx
  generateName: cm-acme-http-solver-
  namespace: default
  uid: 9a9f6829-3b89-4990-9038-f45285a4ae92
  resourceVersion: '3155628'
  generation: 1
  creationTimestamp: '2021-10-11T01:30:52Z'
  labels:
    acme.cert-manager.io/http-domain: '1019414173'
    acme.cert-manager.io/http-token: '902303313'
    acme.cert-manager.io/http01-solver: 'true'
  annotations:
    nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0,::/0
  ownerReferences:
    - apiVersion: acme.cert-manager.io/v1
      kind: Challenge
      name: my-domain.com-xqwh4-4005106243-2059835058
      uid: 03bd05a0-d39d-4377-ad2a-43963b4ea9b9
      controller: true
      blockOwnerDeletion: true
  managedFields:
    - manager: controller
      operation: Update
      apiVersion: networking.k8s.io/v1
      time: '2021-10-11T01:30:52Z'
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata:
          f:annotations:
            .: {}
            f:nginx.ingress.kubernetes.io/whitelist-source-range: {}
          f:generateName: {}
          f:labels:
            .: {}
            f:acme.cert-manager.io/http-domain: {}
            f:acme.cert-manager.io/http-token: {}
            f:acme.cert-manager.io/http01-solver: {}
          f:ownerReferences:
            .: {}
            k:{"uid":"03bd05a0-d39d-4377-ad2a-43963b4ea9b9"}: {}
        f:spec:
          f:ingressClassName: {}
          f:rules: {}
    - manager: nginx-ingress-controller
      operation: Update
      apiVersion: networking.k8s.io/v1
      time: '2021-10-11T01:31:13Z'
      fieldsType: FieldsV1
      fieldsV1:
        f:status:
          f:loadBalancer:
            f:ingress: {}
      subresource: status
spec:
  ingressClassName: nginx
  rules:
    - host: my-domain.com
      http:
        paths:
          - path: >-
              /.well-known/acme-challenge/mIHD-FglhGgu-QV-NSMHzTtTCneahED5Ns7HpTfABow
            pathType: ImplementationSpecific
            backend:
              service:
                name: cm-acme-http-solver-22qx2
                port:
                  number: 8089
status:
  loadBalancer:
    ingress:
      - ip: 137.100.90.100

Answer 1

I have less reputation to add this in comment, are you sure your domain.com is resolving to said IP, ,and any .htacess or any rule preventing it, sometimes it take time to resolve and it route to old domain.com

Answer 2

Thanks for all the help. the Issue was solved with a workaround https://github.com/jetstack/cert-manager/issues/4003#issuecomment-904420841

basically the cert manager pod was unable to access the service pod. Seems a dns or something blocking the http call, redirecting to https and the cert-manager fails

So to avoid go-out and go-in again

k -n cert-manager edit deployment cert-manager

and add in spec

spec:
  ...
  hostAliases:
    - hostnames:
      - something-do.com
      ip: 138.178.91.111 # server IP

this will add that line to the /etc/hosts so will call directly to your service