What happened?
After installing Pomerium using the k8s yaml manifest, visiting Pomerium’s URL shows the following browser error:
Error code: PR_CONNECT_RESET_ERROR
pomerium-proxy service log:
{"level":"info","ts":"2026-02-25T22:59:22Z","msg":"certificate secret not found, skipping","controller":"pomerium-crd","controllerGroup":"ingress.pomerium.io","controllerKind":"Pomerium","Pomerium":{"name":"global"},"namespace":"","name":"global","reconcileID":"bc8376c6-6ab9-46a4-a861-18f84d611d41","secret":{"name":"pomerium-tls","namespace":"pomerium"},"error":"Secret \"pomerium-tls\" not found"}
{"level":"info","ts":"2026-02-25T22:59:22Z","msg":"certificate secret not found, skipping","controller":"bootstrap pod/pomerium-678bcf765d-vvqzf","controllerGroup":"ingress.pomerium.io","controllerKind":"Pomerium","Pomerium":{"name":"global"},"namespace":"","name":"global","reconcileID":"d6403fc2-9d49-4fc3-8333-826773292787","secret":{"name":"pomerium-tls","namespace":"pomerium"},"error":"Secret \"pomerium-tls\" not found"}
{"level":"info","ts":"2026-02-25T22:59:23Z","msg":"Ingress is HTTP-01 challenge solver, enabling public unauthenticated access","controller":"pomerium-ingress","controllerGroup":"networking.k8s.io","controllerKind":"Ingress","Ingress":{"name":"cm-acme-http-solver-s5d8g","namespace":"pomerium"},"namespace":"pomerium","name":"cm-acme-http-solver-s5d8g","reconcileID":"fa8786ec-a820-44ae-824e-f0fbc7f5fba4"}
{"level":"info","ts":"2026-02-25T22:59:23Z","msg":"new pomerium config applied","controller":"pomerium-ingress","controllerGroup":"networking.k8s.io","controllerKind":"Ingress","Ingress":{"name":"cm-acme-http-solver-s5d8g","namespace":"pomerium"},"namespace":"pomerium","name":"cm-acme-http-solver-s5d8g","reconcileID":"fa8786ec-a820-44ae-824e-f0fbc7f5fba4"}
{"level":"info","server-name":"all","service":"envoy","upstream-cluster":"pomerium-cm-acme-http-solver-s5d8g-pomerium-mydomain-com-well-known-acme-challenge-ym4q-mzxqqlmxmsq0fvck9es4nlruprh3aijbpks1gm-{\"n\":\"cm-acme-http-solver-s5d8g\",\"ns\":\"pomerium\",\"h\":\"pomerium.mydomain.com\",\"p\":\"/.well-known/acme-challenge/YM4Q-MZXqQLmxmsQ0Fvck9eS4nLRUprh3aiJBPkS1gM\"}","method":"GET","authority":"pomerium.mydomain.com","path":"/.well-known/acme-challenge/YM4Q-MZXqQLmxmsQ0Fvck9eS4nLRUprh3aiJBPkS1gM","user-agent":"cert-manager-challenges/v1.19.2 (linux/amd64) cert-manager/6e38ee57a338a1f27bb724ddb5933f4b8e23e567","referer":"http://pomerium.mydomain.com/.well-known/acme-challenge/YM4Q-MZXqQLmxmsQ0Fvck9eS4nLRUprh3aiJBPkS1gM","forwarded-for":"10.42.1.1","request-id":"dd868f5f-ad8d-45d3-8e9e-be286bfda230","duration":3.320798,"size":87,"response-code":200,"response-code-details":"via_upstream","time":"2026-02-26T01:58:27Z","message":"http-request"}
cert-manager’s Challenge status:
status:
presented: true
processing: true
reason: 'Waiting for HTTP-01 challenge propagation: failed to perform self check
GET request ''http://pomerium.mydomain.com/.well-known/acme-challenge/YM4Q-MZXqQLmxmsQ0Fvck9eS4nLRUprh3aiJBPkS1gM'':
Get "https://pomerium.mydomain.com/.well-known/acme-challenge/YM4Q-MZXqQLmxmsQ0Fvck9eS4nLRUprh3aiJBPkS1gM":
read tcp 10.42.1.2:39308->POMERIUM_PUBLIC_IP:443: read: connection reset by peer'
state: pending
Visiting the ACME .well-known URL redirects to an https version of the URL, which fails to connect:
» curl 'http://pomerium.mydomain.com/.well-known/acme-challenge/YM4Q-MZXqQLmxmsQ0Fvck9eS4nLRUprh3aiJBPkS1gM'
<a href="https://pomerium.mydomain.com/.well-known/acme-challenge/YM4Q-MZXqQLmxmsQ0Fvck9eS4nLRUprh3aiJBPkS1gM">Moved Permanently</a>.
» curl 'https://pomerium.mydomain.com/.well-known/acme-challenge/YM4Q-MZXqQLmxmsQ0Fvck9eS4nLRUprh3aiJBPkS1gM'
curl: (35) Recv failure: Connection reset by peer
I tried assigning the same hostname to another service using another ingress class (Traefik), which did generate a certificate, then assign the same hostname to Pomerium, and everything worked (did not run long enough to request a new certificate). So, it looks like the issue is only with the initial setup.
What did you expect to happen?
Pomerium certificate successfully generated using cert-manager and Pomerium serving its URL.
How’d it happen?
kubectl apply -k <kustomization-dir>- Browse https://pomerium.mydomain.com
What’s your environment like?
- Pomerium version: pomerium/ingress-controller:v0.32.0
- k3s
- Default ingress: Traefik. Pomerium selectively used for some services. Traefik and Pomerium each have their own load-balancer and own public IP (Oracle Cloud OCI load balancer and network load balancer, respectively).
What’s your config.yaml?
kustomization.yaml:
resources:
- https://raw.githubusercontent.com/pomerium/ingress-controller/v0.32.0/deployment.yaml
- certificate.yaml
- global.yaml
certificate.yaml:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: pomerium-tls
namespace: pomerium
spec:
secretName: pomerium-tls
issuerRef:
name: letsencrypt
kind: ClusterIssuer
usages:
- server auth
- client auth
dnsNames:
- pomerium.mydomain.com
global.yaml:
apiVersion: ingress.pomerium.io/v1
kind: Pomerium
metadata:
name: global
spec:
authenticate:
url: https://pomerium.mydomain.com
certificates:
- pomerium/pomerium-tls
identityProvider:
provider: oidc
url: https://id.mydomain.com
scopes:
- openid
- profile
- email
secret: pomerium/pomerium-oidc
secrets: pomerium/bootstrap
useProxyProtocol: true
cluster-issuer.yaml:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
profile: tlsserver
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: cert-issuer-account-key
solvers:
- http01:
ingress:
ingressClassName: pomerium
selector:
dnsNames:
- pomerium.mydomain.com
- app1.mydomain.com
- http01:
ingress:
ingressClassName: traefik
What did you see in the logs?
Tried both with proxy protocol enabled and disabled (in Pomerium and the load-balancer).
