HTTP-01 Challenge Failing (404) on Internal GKE Gateway

Projects NGINX Gateway Fabric
1

My issue: The cert-manager HTTP-01 challenge is failing to validate a certificate for an internal-facing NGINX Gateway Fabric. The Challenge resource reports wrong status code '404', expected '200' during the propagation check. The HTTPRoute created for the solver is not being reachable by the ACME validation server.

How I encountered the problem:

  1. Deployed NGINX Gateway Fabric on GKE.

  2. Configured a Gateway with a Google Cloud Internal Load Balancer (networking.gke.io/load-balancer-type:`` "Internal"), resulting in a private VPC IP (e.g., 10.x.x.x).

  3. Attempted to issue a Let’s Encrypt certificate via HTTP-01

Solutions I’ve tried:

  • Confirmed the Gateway has listeners for both Port 80 (HTTP) and Port 443 (HTTPS).

  • Checked HTTPRoute status; it initially showed InvalidListener because the TLS secret was missing, creating a circular dependency where the solver couldn’t attach because the listener wasn’t “Ready.”

  • Verified that the domain resolves correctly to the Internal IP within the VPC.

  • Only HTTP endpoint is working as expected

2 Likes
2

Hey @SHUCHITH It would be great if you could the share the NGINX logs from when the HTTP requests are made?
That could help us narrow down the problem.

You could check the logs using Gateway pod logs

kubectl logs <gateway-pod-name> -n <gateway-namespace>
1 Like
4

2026/03/25 17:48:42 [info] 66#66: *133 client closed connection while waiting for request, client: 10.x.x.x, server: 0.0.0.0:80

10.x.x.x - - [25/Mar/2026:17:48:51 +0000] “GET /.well-known/acme-challenge/ HTTP/1.1” 404 159 “-” “cert-manager-challenges/v1.17.2 (linux/amd64) cert-manager/f3ffb8…”

5

Looks like its unable to find the route ./well-known/acme-challenge .

From my initial digging looks like

  1. cert-manager should be installed with --set config.enableGatewayAPI=true flag, are you doing that?
  2. In the spec for ClusterIssuer, there should be a solver pointing to our gateway? I followed this document.

For example:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: your-email@example.com
    privateKeySecretRef:
      name: letsencrypt-prod-key
    solvers:
    - http01:
        gatewayHTTPRoute:
          parentRefs:
          - name: gateway
            namespace: default
            group: gateway.networking.k8s.io
            kind: Gateway
          serviceType: ClusterIP

Can you also verify which HTTPRoutes you have currently?

kubectl get httproutes -A
1 Like
6

Were you able to get this resolved? If so, it’d be great if you could share what fixed it — always helpful for anyone who runs into the same thing down the road! If not, let us know how we can help as well