We Keep Coding

Error "connect: connection refused" trying to fullfill acme challenge

I am pretty new to k8s and currently I am trying to set up a K8s-Cluster on a baremetal server with a publix IP.
However during the validation process letsencrypt cannot access the cluster. After following the trouble shooting I could find the following error: "Connection refused"
I set up my cluster with kubespray
K8s version: v1.22.4
Cert-Manager:
kubectl create namespace cert-manager
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.yaml
Nginx-Ingress-Controller:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/v1.0.4/deploy/static/provider/baremetal/deploy.yaml
ClusterIssuer:
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-cluster-issuer
#namespace: cert-manager
namespace: default
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: dav#my-company.com
privateKeySecretRef:
name: letsencrypt-cluster-issuer-key
solvers:
- http01:
ingress:
class: nginx
Certificate.yml:
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-app
namespace: default
#namespace: cert-manager
spec:
dnsNames:
- {real-dns}.com
secretName: example-app-tls
issuerRef:
name: letsencrypt-cluster-issuer
#name: letsencrypt-staging
kind: ClusterIssuer
After running kubectl get all -n default, i got
root#node1:~# kubectl get all -n default
NAME READY STATUS RESTARTS AGE
pod/cm-acme-http-solver-2vx5w 1/1 Running 0 8s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/cm-acme-http-solver-gp2f6 NodePort 10.233.13.8 <none> 8089:30158/TCP 8s
service/kubernetes ClusterIP 10.233.0.1 <none> 4
I think maybe the cert-manager could not create an issuer for the service cm-acme-http-solver-gp2f6?
Can someone plase give me a hint, how can I solve the problem?
Many thanks in advance.
Edit:
There is also debug step I tried:
clusterissuer:
root#node1:~# kubectl describe clusterissuer letsencrypt-cluster-
issuer
Name: letsencrypt-cluster-issuer
Namespace:
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2021-12-16T17:35:30Z
Generation: 1
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:spec:
.:
f:acme:
.:
f:email:
f:privateKeySecretRef:
.:
f:name:
f:server:
f:solvers:
Manager: OpenAPI-Generator
Operation: Update
Time: 2021-12-16T17:35:30Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:acme:
.:
f:lastRegisteredEmail:
f:uri:
f:conditions:
Manager: controller
Operation: Update
Time: 2021-12-16T17:35:31Z
Resource Version: 230199
UID: 95d183fb-c50e-49ed-83fb-98ceee0f1b7a
Spec:
Acme:
Email: #######.com
Preferred Chain:
Private Key Secret Ref:
Name: letsencrypt-cluster-issuer-key
Server: https://acme-v02.api.letsencrypt.org/directory
Solvers:
http01:
Ingress:
Class: nginx
Status:
Acme:
Last Registered Email: trang#my-company.com
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/322624000
Conditions:
Last Transition Time: 2021-12-16T17:35:31Z
Message: The ACME account was registered with the
ACME server
Observed Generation: 1
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
CertificateRequest:
root#node1:~# kubectl describe CertificateRequest example-app-w59ng
Name: example-app-w59ng
Namespace: default
Labels: <none>
Annotations: cert-manager.io/certificate-name: example-app
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: example-app-qddzv
API Version: cert-manager.io/v1
Kind: CertificateRequest
Metadata:
Creation Timestamp: 2021-12-22T14:07:00Z
Generate Name: example-app-
Generation: 1
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:conditions:
Manager: controller
Operation: Update
Time: 2021-12-22T14:07:00Z
Owner References:
API Version: cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: Certificate
Name: example-app
UID: 5c47b8a9-c076-4387-b117-bb4b1864448d
Resource Version: 1520892
UID: 2fe3875a-4b4d-4139-bef4-820679f8356e
Spec:
Extra:
authentication.kubernetes.io/pod-name:
cert-manager-7c6f78c46d-8r9n7
authentication.kubernetes.io/pod-uid:
5f7638e9-27e8-4a3f-b149-96e9a88d0c74
Groups:
system:serviceaccounts
system:serviceaccounts:cert-manager
system:authenticated
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-cluster-issuer
Request: [...]
UID: 8dfc1be6-2e0b-4a2e-8087-a274110c4b74
Username: system:serviceaccount:cert-manager:cert-manager
Status:
Conditions:
Last Transition Time: 2021-12-22T14:07:00Z
Message: Certificate request has been approved by cert-manager.io
Reason: cert-manager.io
Status: True
Type: Approved
Last Transition Time: 2021-12-22T14:07:00Z
Message: Waiting on certificate issuance from order default/example-app-w59ng-1045993216: "pending"
Reason: Pending
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal cert-manager.io 4m42s cert-manager Certificate request has been approved by cert-manager.io
Normal OrderCreated 4m42s cert-manager Created Order resource default/example-app-w59ng-1045993216
Order:
root#node1:~# kubectl describe order example-app-w59ng-1045993216
Name: example-app-w59ng-1045993216
Namespace: default
Labels: <none>
Annotations: cert-manager.io/certificate-name: example-app
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: example-app-qddzv
API Version: acme.cert-manager.io/v1
Kind: Order
Metadata:
Creation Timestamp: 2021-12-22T14:07:00Z
Generation: 1
Managed Fields:
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:finalizeURL:
f:state:
f:url:
Manager: controller
Operation: Update
Time: 2021-12-22T14:07:00Z
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:authorizations:
Manager: controller
Operation: Update
Time: 2021-12-22T14:07:00Z
Owner References:
API Version: cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: CertificateRequest
Name: example-app-w59ng
UID: 2fe3875a-4b4d-4139-bef4-820679f8356e
Resource Version: 1520893
UID: 4bb32a01-71ee-43ce-976d-072a718fcc98
Spec:
Dns Names:
###.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-cluster-issuer
Request: [...]
Status:
Authorizations:
Challenges:
Token: rloCCUdQXQx_r9idENjxwXBfPn0DpJ7S8f5Ca5YTZzs
Type: http-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/58799104090/PllHuQ
Token: rloCCUdQXQx_r9idENjxwXBfPn0DpJ7S8f5Ca5YTZzs
Type: dns-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/58799104090/AYdl0A
Token: rloCCUdQXQx_r9idENjxwXBfPn0DpJ7S8f5Ca5YTZzs
Type: tls-alpn-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/58799104090/DRK6xg
Identifier: cranberry-soft.de
Initial State: pending
URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/58799104090
Wildcard: false
Finalize URL: https://acme-v02.api.letsencrypt.org/acme/finalize/322624000/47528833830
State: pending
URL: https://acme-v02.api.letsencrypt.org/acme/order/322624000/47528833830
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 21m cert-manager Created Challenge resource "example-app-w59ng-1045993216-247428591" for domain "###.com"
Challenge:
root#node1:~# kubectl describe Challenge example-app-w59ng-1045993216-247428591
Name: example-app-w59ng-1045993216-247428591
Namespace: default
Labels: <none>
Annotations: <none>
API Version: acme.cert-manager.io/v1
Kind: Challenge
Metadata:
Creation Timestamp: 2021-12-22T14:07:01Z
Finalizers:
finalizer.acme.cert-manager.io
Generation: 1
Managed Fields:
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:presented:
Manager: controller
Operation: Update
Time: 2021-12-22T14:07:02Z
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:reason:
Manager: controller
Operation: Update
Time: 2021-12-22T14:07:02Z
Owner References:
API Version: acme.cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: Order
Name: example-app-w59ng-1045993216
UID: 4bb32a01-71ee-43ce-976d-072a718fcc98
Resource Version: 1520918
UID: 4cde9b13-e7af-4fbb-ac60-b25e977108a3
Spec:
Authorization URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/58799104090
Dns Name: ###.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-cluster-issuer
Key: [...]
Solver:
http01:
Ingress:
Class: nginx
Token: [...]
Type: HTTP-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/58799104090/PllHuQ
Wildcard: false
Status:
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://###.com/.well-known/acme-challenge/rloCCUdQXQx_r9idENjxwXBfPn0DpJ7S8f5Ca5YTZzs': Get "http://###.com/.well-known/acme-challenge/rloCCUdQXQx_r9idENjxwXBfPn0DpJ7S8f5Ca5YTZzs": dial tcp xx.xx.xx.xx:80: connect: connection refused
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 29m cert-manager Challenge scheduled for processing
Normal Presented 29m cert-manager Presented challenge using HTTP-01 challenge mechanism

Certificate always in 'False' state using LetsEncrypt with cluster issuer in k8s

I am unable to issue a working certificate for my ingress host in k8s. I use a ClusterIssuer to issue certificates and the same ClusterIssuer has issued certificates in the past for my ingress hosts under my domain name *xyz.com. But all of a sudden neither i can issue new Certificate with state 'True' for my host names nor a proper certificate secret (kubernetes.io/tls) gets created (but instead an Opaque secret gets created).
**strong text**
**kubectl describe certificate ingress-cert -n abc**
Name: ingress-cert
Namespace: abc
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1beta1
Kind: Certificate
Metadata:
Creation Timestamp: 2021-09-08T07:48:32Z
Generation: 1
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: test-ingress
UID: c03ffec0-df4f-4dbb-8efe-4f3550b9dcc1
Resource Version: 146643826
Self Link: /apis/cert-manager.io/v1beta1/namespaces/abc/certificates/ingress-cert
UID: 90905ab7-22d2-458c-b956-7100c4c77a8d
Spec:
Dns Names:
abc.xyz.com
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt
Secret Name: ingress-cert
Status:
Conditions:
Last Transition Time: 2021-09-08T07:48:33Z
Message: Issuing certificate as Secret does not exist
Reason: DoesNotExist
Status: False
Type: Ready
Last Transition Time: 2021-09-08T07:48:33Z
Message: Issuing certificate as Secret does not exist
Reason: DoesNotExist
Status: True
Type: Issuing
Next Private Key Secret Name: ingress-cert-gdq7g
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 11m cert-manager Issuing certificate as Secret does not exist
Normal Generated 11m cert-manager Stored new private key in temporary Secret resource "ingress-cert-gdq7g"
Normal Requested 11m cert-manager Created new CertificateRequest resource "ingress-cert-dp6sp"
I checked the certificate request and it contains no events. Also i can see no challenges. I have added the logs below. Any help would be appreciated
kubectl describe certificaterequest ingress-cert-dp6sp -n abc
Namespace: abc
Labels: <none>
Annotations: cert-manager.io/certificate-name: ingress-cert
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: ingress-cert-gdq7g
API Version: cert-manager.io/v1beta1
Kind: CertificateRequest
Metadata:
Creation Timestamp: 2021-09-08T07:48:33Z
Generate Name: ingress-cert-
Generation: 1
Owner References:
API Version: cert-manager.io/v1alpha2
Block Owner Deletion: true
Controller: true
Kind: Certificate
Name: ingress-cert
UID: 90905ab7-22d2-458c-b956-7100c4c77a8d
Resource Version: 146643832
Self Link: /apis/cert-manager.io/v1beta1/namespaces/abc/certificaterequests/ingress-cert-dp6sp
UID: fef72617-fc1d-4384-9f4b-a7e4502582d8
Spec:
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt
Request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2Z6Q0NBV2NDQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxMNgphTGhZNjhuNnhmMUprYlF5ek9OV1J4dGtLOXJrbjh5WUtMd2l4ZEFMVUl0TERra0t6Uksyb3loZzRMMThSQmQvCkNJaGJ5RXBYNnlRditKclRTOC84T1A0MWdwTUxBLzROdVhXWWtyeWhtZFdNaFlqa21OOFpiTUk1SlZZcVV2cVkKRWQ1b2cydmVmSjU1QlJPRExsd0o3YjBZa3hXckUwMGJxQ1ExWER6ZzFhM08yQ2JWd1NQT29WV2x6Uy9CdzRYVgpMeVdMS3E4QU52b2dZMUxXRU8xcG9YelRObm9LK2U2YVZueDJvQ1ZLdGxPaG1iYXRHYXNSaTJKL1FKK0dOWHovCnFzNXVBSlhzYVErUzlxOHIvbmVMOXNPYnN2OWd1QmxCK09yQVg2eHhkNHZUdUIwVENFU00zWis2c2MwMFNYRXAKNk01RlY3dkFFeDQyTWpuejVoa0NBd0VBQWFBNk1EZ0dDU3FHU0liM0RRRUpEakVyTUNrd0p3WURWUjBSQkNBdwpIb0ljY25kemMyZHdMbU5zYjNWa1oyRjBaUzV0YVdOeWIyWnBiaTVrWlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DCkFRRUFTQ0cwTXVHMjZRbVFlTlBFdmphNHZqUUZOVFVINWVuMkxDcXloY2ZuWmxocWpMbnJqZURuL2JTV1hwdVIKTnhXTnkxS0EwSzhtMG0rekNPbWluZlJRS1k2eHkvZU1WYkw4dTgrTGxscDEvRHl3UGxvREE2TkpVOTFPaDM3TgpDQ0E4NWphLy9FYVVvK0p5aHBzaTZuS1d4UXRpYXdmYXhuNUN4SENPWGF5Qzg0Q0IzdGZ2WWp6YUF3Ykx4akxYCmxvd09LUHNxSE51ZktFM0NtcjZmWGgramd5VWhxamYwOUJHeGxCWEFsSVNBNkN5dzZ2UmpWamFBOW82TmhaTXUKbmdheWZON00zUzBBYnAzVFFCZW8xYzc3QlFGaGZlSUE5Sk51SWtFd3EvNXppYVY1RDErNUxSSnR5ZkVpdnJLTwpmVjQ5WkpCL1BGOTdiejhJNnYvVW9CSkc2Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
Status:
Conditions:
Last Transition Time: 2021-09-08T07:48:33Z
Message: Waiting on certificate issuance from order abc/ingress-cert-dp6sp-3843501305: ""
Reason: Pending
Status: False
Type: Ready
Events: <none>
Here is the ingress.yaml
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: test-ingress
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 20m
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "letsencrypt"
spec:
rules:
- host: abc.xyz.com
http:
paths:
- path: /static
backend:
serviceName: app-service
servicePort: 80
- path: /
backend:
serviceName: app-service
servicePort: 8000
tls:
- hosts:
- abc.xyz.com
secretName: ingress-cert
Here is the clusterissuer:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: example#user.de
privateKeySecretRef:
name: letsencrypt-key
solvers:
- http01:
ingress:
class: nginx

Works only with Nginx Ingress Controller
I was using ClusterIssuer but I changed it to Issuer and it works.
-- Install cert-manager (Installed version 1.6.1) and be sure that the three pods are running
-- Create an Issuer by appling this yml be sure that the issuer is running.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-nginx
namespace: default
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: example#example.com
privateKeySecretRef:
name: letsencrypt-nginx-private-key
solvers:
- http01:
ingress:
class: nginx
-- Add this to your ingress annotations
cert-manager.io/issuer: letsencrypt-nginx
-- Add the secretName to your ingress spec.tls.hosts
spec:
tls:
- hosts:
- yourdomain.com
secretName: letsencrypt-nginx
Notice that the Nginx Ingress Controller is able to generate the Certificate CRD automatically via a special annotation: cert-manager.io/issuer. This saves work and time, because you don't have to create and maintain a separate manifest for certificates as well (only the Issuer manifest is required). For other ingresses you may need to provide the Certificate CRD as well.

Ideally your ingress pointing to the secret which is storing the secret or SSL/TLS key cert.
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: test-ingress
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 20m
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "letsencrypt"
spec:
rules:
- host: abc.xyz.com
http:
paths:
- path: /static
backend:
serviceName: app-service
servicePort: 80
- path: /
backend:
serviceName: app-service
servicePort: 8000
tls:
- hosts:
- abc.xyz.com
secretName: letsencrypt-key
Your cluster issue storing the key
privateKeySecretRef:
name: letsencrypt-key
You have to use this secret and attach this to ingress.
If secret already storing cert with a domain
test.example.com and you are trying to get a new cert with hello.example.com
in this case using cluster issuer will overwrite the secret and might loss old cert stored inside secret.
You can create the multiple clusterissuer,
One storing and connect to single ingress, first.example.com
Second cluster issuer with different key name
privateKeySecretRef:
name: letsencrypt-key
and new key or secret will get attached to the ingress.

Cert-manager stopped renewing Let'S Encrypt certificates after upgrading to AKS 1.20.7

Our AKS cluster was configured to auto-renew Let's Encrypt certificates through Ingress Cert-Manager annotation and this worked perfectly until we upgraded to AKS 1.20.7. This then stopped working and the certificates started to expire without them being renewed - I double-checked all changes to K8S and CertManager APIs and reviewed all YAML's, but I'm not seeing anything obviously wrong. Would appreciate any pointers.
My understanding is that as long as I add the "cert-manager.io/cluster-issuer: letsencrypt-prod-p9v2" to my ingress - the whole renewal should happen automatically - this is not happening though.
> kubectl cert-manager version
util.Version{GitVersion:"v1.4.0", GitCommit:"5e2a6883c1202739902ac94b5f4884152b810925", GitTreeState:"clean", GoVersion:"go1.16.2", Compiler:"gc", Platform:"linux/amd64"}
AKS version: 1.20.7
cat shipit-ingress-p9v2.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
certmanager.k8s.io/cluster-issuer: letsencrypt-prod-p9v2
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-body-size: 15m
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.org/client-max-body-size: 15m
generation: 4
name: shipit-ingress-p9v2
namespace: supplier
resourceVersion: "147087245"
uid: 6751dbff-83b1-48a1-a467-e75cc843ee79
spec:
rules:
- host: xxx.westeurope.cloudapp.azure.com
http:
paths:
- backend:
service:
name: planet9v2
port:
number: 8080
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- xxx.westeurope.cloudapp.azure.com
secretName: tls-secret-p9v2
status:
loadBalancer:
ingress:
- ip: 10.240.0.5
>>kubectl get clusterissuer -o yaml letsencrypt-prod-p9v2
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
annotations:
creationTimestamp: "2020-05-29T13:31:10Z"
generation: 2
name: letsencrypt-prod-p9v2
resourceVersion: "25493731"
uid: 0e0e46f5-4cdf-42ea-a022-2dfe9ed56ad8
spec:
acme:
email: xxx
http01: {}
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-v02.api.letsencrypt.org/directory
status:
acme:
uri: https://acme-v02.api.letsencrypt.org/acme/acct/76984529
conditions:
- lastTransitionTime: "2020-05-29T13:31:11Z"
message: The ACME account was registered with the ACME server
reason: ACMEAccountRegistered
status: "True"
type: Ready
>>kubectl cert-manager inspect secret tls-secret-p9v2
...
Debugging:
Trusted by this computer: no: x509: certificate has expired or is not yet valid: current time 2021-08-24T07:03:32Z is after 2021-08-22T06:40:20Z
CRL Status: No CRL endpoints set
OCSP Status: Cannot check OCSP: error reading OCSP response: ocsp: error from server: unauthorized
kubectl describe secret tls-secret-p9v2
Name: tls-secret-p9v2
Namespace: supplier
Labels: certmanager.k8s.io/certificate-name=tls-secret-p9v2
Annotations: certmanager.k8s.io/alt-names: shipit-dev-p9v2.westeurope.cloudapp.azure.com
certmanager.k8s.io/common-name: shipit-dev-p9v2.westeurope.cloudapp.azure.com
certmanager.k8s.io/ip-sans:
certmanager.k8s.io/issuer-kind: ClusterIssuer
certmanager.k8s.io/issuer-name: letsencrypt-prod-p9v2
Type: kubernetes.io/tls
Data
====
tls.key: 1679 bytes
ca.crt: 0 bytes
tls.crt: 5672 bytes
kubectl get order
NAME STATE AGE
tls-secret-p9v2-4123722043 valid 24d
[(⎈ |shipit-k8s-dev:supplier)]$ k describe order tls-secret-p9v2-4123722043
Name: tls-secret-p9v2-4123722043
Namespace: supplier
Labels: acme.cert-manager.io/certificate-name=tls-secret-p9v2
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Order
Metadata:
Creation Timestamp: 2021-07-31T04:12:42Z
Generation: 4
Managed Fields:
API Version: certmanager.k8s.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.:
f:acme.cert-manager.io/certificate-name:
f:ownerReferences:
.:
k:{"uid":"a1dec741-0fe7-42be-99d2-176c3d4cdf38"}:
.:
f:apiVersion:
f:blockOwnerDeletion:
f:controller:
f:kind:
f:name:
f:uid:
f:spec:
.:
f:config:
f:csr:
f:dnsNames:
f:issuerRef:
.:
f:kind:
f:name:
f:status:
.:
f:certificate:
f:challenges:
f:finalizeURL:
f:state:
f:url:
Manager: jetstack-cert-manager
Operation: Update
Time: 2021-07-31T04:13:09Z
Owner References:
API Version: certmanager.k8s.io/v1alpha1
Block Owner Deletion: true
Controller: true
Kind: Certificate
Name: tls-secret-p9v2
UID: a1dec741-0fe7-42be-99d2-176c3d4cdf38
Resource Version: 143545958
UID: a646985b-6d44-4c99-bb39-ceb6c4919047
Spec:
Config:
Domains:
shipit-dev-p9v2.westeurope.cloudapp.azure.com
http01:
Ingress Class: nginx
Csr: MIIC3zCCAccCAQAwTzEVMBMGA1UEChMMY2VydC1tYW5hZ2VyMTYwNAYDVQQDEy1zaGlwaXQtZGV2LXA5djIud2VzdGV1cm9wZS5jbG91ZGFwcC5henVyZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdqF08foRx7qVCU4YpVLHxodqMJp1h10l0s89MUVK7C2IWwHdQ5w2BjUB12gT6T6NK9ZhJEzzYtLk18wFAojKUOFjuwF5Kklh+Qe6rFiZNNJ2+uDN/WhCLylbsXjHzQ+N3XMZ0jhGv+72XQyeK/X8jurMmVk5dSZbYP0ysk7w7gSFjjpeN2EIpYcnp2rCjTU+ksfeJ04DDm84hN9snMpGKspIhTFBphCQQgScPO9Fx+S5NVG/ScoM0CLSYiQVB0oPYUaw84O/lNC7kq/UWERli2pNy9Gnxdw2g37nFTj2uvPGGbPE1WBTFtdzkFWMepaw1l25X1//Nsap3zuZY0C3jAgMBAAGgSzBJBgkqhkiG9w0BCQ4xPDA6MDgGA1UdEQQxMC+CLXNoaXBpdC1kZXYtcDl2Mi53ZXN0ZXVyb3BlLmNsb3VkYXBwLmF6dXJlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAWEqfGuYcgf2ujby+K9MK+9q/r0cajo4q0JM6ZkBQQGb88b/nwxa7sr4n7hnlpKhXdLPp5QoeBMr3UM7Nwc7PrYxOws9v51mq3ekUOARgO4/4eJw4agFf8KKQLjtkFr2Q3OFJp6GuYKDCo2+Z1jqs76v7ReKlBoVhMtxOkjykQJheFQzg7ezGshE5trXh3NL/FaaThp1vP+qp8nDnq1YXkvOyaoc7u4X2sl831FTPcv3tsQJJzrOPlZPUJcgCC9cZiCTwqdttaJFRobTEGSk+pzc54C6eRQv9muto8D29Eg2G9f9xDSJULT6WbZWL6gzbJ/5pu3ep+V+cB43f5H+Sqg==
Dns Names:
shipit-dev-p9v2.westeurope.cloudapp.azure.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod-p9v2
Status:
Certificate: LS0tLS1CRUdJTiBDRVJUSUZJ.....
Challenges:
Authz URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/17660284180
Config:
http01:
Ingress Class: nginx
Dns Name: shipit-dev-p9v2.westeurope.cloudapp.azure.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod-p9v2
Key: AxP1pv5I087QVyKXIkGyT5pqlD4Aa-UYmJHAOgzHPu4.mIcOL5pBlkZJSpSUslpjJTC_hFunxNRCEA82VcfFAHE
Token: AxP1pv5I087QVyKXIkGyT5pqlD4Aa-UYmJHAOgzHPu4
Type: http-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/17660284180/Sh057Q
Wildcard: false
Finalize URL: https://acme-v02.api.letsencrypt.org/acme/finalize/75003870/13444902230
State: valid
URL: https://acme-v02.api.letsencrypt.org/acme/order/75003870/13444902230
Events: <none>

i was facing the same issue, updating the version of Cert-manager resolved the issue.
i was not on AKS but was using the GKE and i upgraded to the 1.5 cert-manager releases.
Currently as of now supported releases are the : 1.5 & 1.6
Releases
Refer this Document
Based on my understanding Cert-manger stop supporting old release and support only the latest 2 releases.
i upgraded to 1.5 and issue got resolved.

In my case had had to update the issuer yaml file. Before the update I had to change the apiVersion to cert-mamanager.io/v1.
After apply the issuer yaml file, my certificates were automaticly renewed.

Cert Manager Challenge Pending Kubernetes

I have it working on one site application I already set up and now I am just trying to replicate the exact same thing for a different site/domain in another namespace.
So staging.correct.com is my working https domain
and staging.example.com is my not working https domain (http works - just not https)
When I do the following it shows 3 certs, the working one for correct and then 2 for the example.com when it should only have one for example:
kubectl get -A certificate
correct staging-correct-com True staging-correct-com-tls 10d
example staging-example-com False staging-example-com-tls 16h
example staging-example-website-com False staging-example-com-tls 17h
When I do:
kubectl get -A certificaterequests
It shows 2 certificate requests for the example
example staging-example-com-nl46v False 15h
example staging-example-website-com-plhqb False 15h
When I do:
kubectl get ingressroute -A
NAMESPACE NAME AGE
correct correct-ingress-route 10d
correct correct-secure-ingress-route 6d22h
kube-system traefik-dashboard 26d
example example-website-ingress-route 15h
example example-website-secure-ingress-route 15h
routing dashboard 29d
routing traefik-dashboard 6d21h
When I do:
kubectl get secrets -A (just showing the relevant ones)
correct default-token-bphcm kubernetes.io/service-account-token
correct staging-correct-com-tls kubernetes.io/tls
example default-token-wx9tx kubernetes.io/service-account-token
example staging-example-com-tls Opaque
example staging-example-com-wf224 Opaque
example staging-example-website-com-rzrvw Opaque
Logs from cert manager pod:
1 ingress.go:91] cert-manager/controller/challenges/http01/selfCheck/http01/ensureIngress "msg"="found one existing HTTP01 solver ingress" "dnsName"="staging.example.com" "related_resource_kind"="Ingress" "related_resource_name"="cm-acme-http-solver-bqjsj" "related_resource_namespace”=“example” "related_resource_version"="v1beta1" "resource_kind"="Challenge" "resource_name"="staging-example-com-ltjl6-1661100417-771202110" "resource_namespace”=“example” "resource_version"="v1" "type"="HTTP-01"
When I do:
kubectl get challenge -A
example staging-example-com-nl46v-1661100417-2848337980 staging.example.com 15h
example staging-example-website-com-plhqb-26564845-3987262508 pending staging.example.com
When I do: kubectl get order -A
NAMESPACE NAME STATE AGE
example staging-example-com-nl46v-1661100417 pending 17h
example staging-example-website-com-plhqb-26564845 pending 17h
My yml files:
My ingress route:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: example
name: example-website-ingress-route
annotations:
kubernetes.io/ingress.class: "traefik"
cert-manager.io/issuer: example-issuer-staging
traefik.ingress.kubernetes.io/router.entrypoints: web
traefik.frontend.redirect.entryPoint: https
spec:
entryPoints:
- web
routes:
- match: Host(`staging.example.com`)
middlewares:
- name: https-only
kind: Rule
services:
- name: example-website
namespace: example
port: 80
my issuer:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: example-issuer-staging
namespace: example
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: example#example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: staging-example-com-tls
# Enable the HTTP-01 challenge provider
solvers:
# An empty 'selector' means that this solver matches all domains
- http01:
ingress:
class: traefik
my middleware:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: https-only
namespace: example
spec:
redirectScheme:
scheme: https
permanent: true
my secure ingress route:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: example
name: example-website-secure-ingress-route
annotations:
kubernetes.io/ingress.class: "traefik"
cert-manager.io/issuer: example-issuer-staging
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.frontend.redirect.entryPoint: https
spec:
entryPoints:
- websecure
routes:
- match: Host(`staging.example.com`)
kind: Rule
services:
- name: example-website
namespace: example
port: 80
tls:
domains:
- main: staging.example.com
options:
namespace: example
secretName: staging-example-com-tls
my service:
apiVersion: v1
kind: Service
metadata:
namespace: example
name: 'example-website'
spec:
type: ClusterIP
ports:
- protocol: TCP
name: http
port: 80
targetPort: 80
- protocol: TCP
name: https
port: 443
targetPort: 80
selector:
app: 'example-website'
my solver:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: staging-example-com
namespace: example
spec:
secretName: staging-example-com-tls
issuerRef:
name: example-issuer-staging
kind: Issuer
commonName: staging.example.com
dnsNames:
- staging.example.com
my app:
apiVersion: apps/v1
kind: ReplicaSet
metadata:
namespace: example
name: 'example-website'
labels:
app: 'example-website'
tier: 'frontend'
spec:
replicas: 1
selector:
matchLabels:
app: 'example-website'
template:
metadata:
labels:
app: 'example-website'
spec:
containers:
- name: example-website-container
image: richarvey/nginx-php-fpm:1.10.3
imagePullPolicy: Always
env:
- name: SSH_KEY
value: 'secret'
- name: GIT_REPO
value: 'url of source code for site'
- name: GIT_EMAIL
value: 'example#example.com'
- name: GIT_NAME
value: 'example'
ports:
- containerPort: 80
How can I delete all these secrets, orders, certificates and stuff in the example namespace and try again? Does cert-manager let you do this without restarting them continuously?
EDIT:
I deleted the namespace and redeployed, then:
kubectl describe certificates staging-example-com -n example
Spec:
Common Name: staging.example.com
Dns Names:
staging.example.com
Issuer Ref:
Kind: Issuer
Name: example-issuer-staging
Secret Name: staging-example-com-tls
Status:
Conditions:
Last Transition Time: 2020-09-26T21:25:06Z
Message: Issuing certificate as Secret does not contain a certificate
Reason: MissingData
Status: False
Type: Ready
Last Transition Time: 2020-09-26T21:25:07Z
Message: Issuing certificate as Secret does not exist
Reason: DoesNotExist
Status: True
Type: Issuing
Next Private Key Secret Name: staging-example-com-gnbl4
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 3m10s cert-manager Issuing certificate as Secret does not exist
Normal Reused 3m10s cert-manager Reusing private key stored in existing Secret resource "staging-example-com-tls"
Normal Requested 3m9s cert-manager Created new CertificateRequest resource "staging-example-com-qrtfx"
So then I did:
kubectl describe certificaterequest staging-example-com-qrtfx -n example
Status:
Conditions:
Last Transition Time: 2020-09-26T21:25:10Z
Message: Waiting on certificate issuance from order example/staging-example-com-qrtfx-1661100417: "pending"
Reason: Pending
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 8m17s cert-manager Created Order resource example/staging-example-com-qrtfx-1661100417
Normal OrderPending 8m17s cert-manager Waiting on certificate issuance from order example/staging-example-com-qrtfx-1661100417: ""
So I did:
kubectl describe challenges staging-example-com-qrtfx-1661100417 -n example
Status:
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: wrong status code '404', expected '200'
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 11m cert-manager Challenge scheduled for processing
Normal Presented 11m cert-manager Presented challenge using HTTP-01 challenge mechanism

I figured it out. The issue seems to be that IngressRoute (which is used in traefik) does not work with cert mananger. I just deployed this file, then the http check was confirmed, then I could delete it again. Hope this helps others with same issue.
Seems cert manager does support IngressRoute which is in Traefik? I opened the issue here so let's see what they say: https://github.com/jetstack/cert-manager/issues/3325
kubectl apply -f example-ingress.yml
File:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
namespace: example
name: example-ingress
annotations:
kubernetes.io/ingress.class: "traefik"
cert-manager.io/issuer: example-issuer-staging
spec:
rules:
- host: staging.example.com
http:
paths:
- path: /
backend:
serviceName: example-website
servicePort: 80
tls:
- hosts:
- staging.example.com
secretName: staging-example-com-tls

Cert-managed with wilcard and Cloudflare DNS, stuck at 'OrderCreated'

I'm trying to get cert-manager and letsencrypt working for a wildcard domain. I've pointed the wildcard A host to the load balancer IP (GKE). Here is the secret and issuer:
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-key
namespace: cert-manager
type: Opaque
data:
apikey: BASE_64_ENCODED_API_KEY
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: EMAIL
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
cloudflare:
email: EMAIL
apiKeySecretRef:
name: cloudflare-api-key
key: apikey
and here is my ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: apps-ingress
annotations:
kubernetes.io/ingress.class: nginx
certmanager.k8s.io/cluster-issuer: letsencrypt-staging
spec:
tls:
- hosts:
- "*.sampledomain.com"
secretName: letsencrypt-staging
rules:
- host: phpmyadmin.sampledomain.com
http:
paths:
- backend:
serviceName: phpmyadmin
servicePort: 8081
The events are stuck at 'OrderCreated'. On checking the logs:
E0817 08:42:45.872348 1 base_controller.go:189] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="Cloudflare API Error \n\t Error: 9103: Unknown X-Auth-Key or X-Auth-Email" "key"="default/letsencrypt-staging-3055668421-0"

There was a typo in my email address :|