We Keep Coding

Digital Ocean Kubernetes: Cert-Manager Certificate creation stuck at Created new CertificateRequest resource

I am following this tutorial to use a trusted TLS certificate in my ingress rules. All works, however
kubectl describe certificate quickstart-example-tls
gives & gets stuck at Created new CertificateRequest resource
....
Status:
Conditions:
Last Transition Time: 2022-02-08T10:00:01Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: False
Type: Ready
Last Transition Time: 2022-02-08T10:00:02Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: True
Type: Issuing
Next Private Key Secret Name: quickstart-example-tls-d87r6
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 21m cert-manager Issuing certificate as Secret does not exist
Normal Generated 21m cert-manager Stored new private key in temporary Secret resource "quickstart-example-tls-d87r6"
Normal Requested 21m cert-manager Created new CertificateRequest resource "quickstart-example-tls-kxwqd"
First let me share my ingress rules and Issuers:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: flask-ingress
spec:
ingressClassName: nginx
rules:
- host: www.<Domain>.net
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: flask
port:
number: 5000
I set up DNS (in digital ocean) rules so curling (via web) works.
curl "http://www.<Domain>.net"
<p>Hello, World!</p>%
Here my issuer file:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
namespace: default
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: <MY-EMAIL>
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
# kubectl get issuer
NAME READY AGE
letsencrypt-staging True 26s
Now I update my ingress rule and start the challenge:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: flask-ingress
annotations:
cert-manager.io/issuer: letsencrypt-staging
spec:
tls:
- hosts:
- www.<DOMAIN>.net
secretName: quickstart-example-tls
ingressClassName: nginx
rules:
- host: www.<DOMAIN>.net
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: flask
port:
number: 5000
#kubectl get certificate
NAME READY SECRET AGE
quickstart-example-tls False quickstart-example-tls 88s
Here the detailed output:
#kubectl describe certificate quickstart-example-tls
Name: quickstart-example-tls
Namespace: default
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1
Kind: Certificate
Metadata:
Creation Timestamp: 2022-02-08T10:34:40Z
Generation: 1
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:ownerReferences:
.:
k:{"uid":"<UID>"}:
.:
f:apiVersion:
f:blockOwnerDeletion:
f:controller:
f:kind:
f:name:
f:uid:
f:spec:
.:
f:dnsNames:
f:issuerRef:
.:
f:group:
f:kind:
f:name:
f:secretName:
f:usages:
f:status:
.:
f:conditions:
f:nextPrivateKeySecretName:
Manager: controller
Operation: Update
Time: 2022-02-08T10:34:41Z
Owner References:
API Version: networking.k8s.io/v1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: flask-ingress
UID: <UID>
Resource Version: 321990
UID: <UID>
Spec:
Dns Names:
www.<DOMAIN>.net
Issuer Ref:
Group: cert-manager.io
Kind: Issuer
Name: letsencrypt-staging
Secret Name: quickstart-example-tls
Usages:
digital signature
key encipherment
Status:
Conditions:
Last Transition Time: 2022-02-08T10:34:40Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: True
Type: Issuing
Last Transition Time: 2022-02-08T10:34:40Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: False
Type: Ready
Next Private Key Secret Name: quickstart-example-tls-w4psf
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 2m14s cert-manager Issuing certificate as Secret does not exist
Normal Generated 2m13s cert-manager Stored new private key in temporary Secret resource "quickstart-example-tls-w4psf"
Normal Requested 2m13s cert-manager Created new CertificateRequest resource "quickstart-example-tls-znhlv"
So this is were things get stucked and IDK why.
# kubectl describe certificaterequest quickstart-example-tls
Name: quickstart-example-tls-znhlv
Namespace: default
Labels: <none>
Annotations: cert-manager.io/certificate-name: quickstart-example-tls
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: quickstart-example-tls-w4psf
API Version: cert-manager.io/v1
Kind: CertificateRequest
Metadata:
Creation Timestamp: 2022-02-08T10:34:41Z
Generate Name: quickstart-example-tls-
Generation: 1
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:cert-manager.io/certificate-name:
f:cert-manager.io/certificate-revision:
f:cert-manager.io/private-key-secret-name:
f:generateName:
f:ownerReferences:
.:
k:{"uid":"<UID>"}:
.:
f:apiVersion:
f:blockOwnerDeletion:
f:controller:
f:kind:
f:name:
f:uid:
f:spec:
.:
f:issuerRef:
.:
f:group:
f:kind:
f:name:
f:request:
f:usages:
f:status:
.:
f:conditions:
Manager: controller
Operation: Update
Time: 2022-02-08T10:34:41Z
Owner References:
API Version: cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: Certificate
Name: quickstart-example-tls
UID: <UID>
Resource Version: 322003
UID: <UID>
Spec:
Extra:
authentication.kubernetes.io/pod-name:
cert-manager-6d8d028374dbb-f43n7
authentication.kubernetes.io/pod-uid:
<UID>
Groups:
system:serviceaccounts
system:serviceaccounts:cert-manager
system:authenticated
Issuer Ref:
Group: cert-manager.io
Kind: Issuer
Name: letsencrypt-staging
Request: <Request ID>
UID: <UID>
Usages:
digital signature
key encipherment
Username: system:serviceaccount:cert-manager:cert-manager
Status:
Conditions:
Last Transition Time: 2022-02-08T10:34:41Z
Message: Certificate request has been approved by cert-manager.io
Reason: cert-manager.io
Status: True
Type: Approved
Last Transition Time: 2022-02-08T10:34:43Z
Message: Waiting on certificate issuance from order default/quickstart-example-tls-znhlv-138543614: "pending"
Reason: Pending
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal cert-manager.io 4m54s cert-manager Certificate request has been approved by cert-manager.io
Normal OrderCreated 4m53s cert-manager Created Order resource default/quickstart-example-tls-znhlv-138543614
Having a look at the challenge, all seems to work.
# kubectl describe challenges --all-namespaces
Name: quickstart-example-tls-znhlv-138543614-1891152753
Namespace: default
Labels: <none>
Annotations: <none>
API Version: acme.cert-manager.io/v1
Kind: Challenge
Metadata:
Creation Timestamp: 2022-02-08T10:34:44Z
Finalizers:
finalizer.acme.cert-manager.io
Generation: 1
Managed Fields:
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:finalizers:
.:
v:"finalizer.acme.cert-manager.io":
f:ownerReferences:
.:
k:{"uid":"<UID>"}:
.:
f:apiVersion:
f:blockOwnerDeletion:
f:controller:
f:kind:
f:name:
f:uid:
f:spec:
.:
f:authorizationURL:
f:dnsName:
f:issuerRef:
.:
f:group:
f:kind:
f:name:
f:key:
f:solver:
.:
f:http01:
.:
f:ingress:
.:
f:class:
f:token:
f:type:
f:url:
f:wildcard:
f:status:
.:
f:presented:
f:processing:
f:reason:
f:state:
Manager: controller
Operation: Update
Time: 2022-02-08T10:34:46Z
Owner References:
API Version: acme.cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: Order
Name: quickstart-example-tls-znhlv-138543614
UID: <UID>
Resource Version: 322038
UID: <UID>
Spec:
Authorization URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/<NR>
Dns Name: www.<DOMAIN>.net
Issuer Ref:
Group: cert-manager.io
Kind: Issuer
Name: letsencrypt-staging
Key: <SOMEKEY>
Solver:
http01:
Ingress:
Class: nginx
Token: <SOMEToken>
Type: HTTP-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/<NR>/<CODE>
Wildcard: false
Status:
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://www.<DOMAIN>.net/.well-known/acme-challenge/<SOMEToken>': Get "http://www.<DOMAIN>.net/.well-known/acme-challenge/<SOMEToken>": EOF
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 6m18s cert-manager Challenge scheduled for processing
Normal Presented 6m17s cert-manager Presented challenge using HTTP-01 challenge mechanism
#curl "http://www.<DOMAIN>.net/.well-known/acme-challenge/<SOMEToken>"
<SOMEKEY>%
All seems to be fine, but I do not get the certificate?
A couple of additional things:
I use digital ocean managed kubernetes 1.21
I installed ingress-nginx via UI in digital ocean to namespace ingress-nginx
I use cert-manager 1.7
#kubectl get pods -n cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-6d8d6b5dbb-f4xn7 1/1 Running 0 47h
cert-manager-cainjector-d6cbc4d9-g6j8c 1/1 Running 0 47h
cert-manager-webhook-85fb68c79b-sv8pb 1/1 Running 0 47h
Looking add the logs from cert-manager, I get that get request failed although it works actually.
# kubectl logs cert-manager-6d8d6b5dbb-f4xn7 -n cert-manager
E0208 15:07:31.660877 1 sync.go:186] cert-manager/challenges "msg"="propagation check failed" "error"="failed to perform self check GET request 'http://www.<DOMAIN>.net/.well-known/acme-challenge/<SOMEToken>': Get \"http://www.<DOMAIN>.net/.well-known/acme-challenge/<SOMEToken>\": EOF" "dnsName"="www.<DOMAIN>.net" "resource_kind"="Challenge" "resource_name"="quickstart-example-tls-znhlv-138543614-1891152753" "resource_namespace"="default" "resource_version"="v1" "type"="HTTP-01"

#Rychu linked me to the answer here. This goes also back to this post step 5
For my case I did
Added a DNS entry on digital ocean for "workaround.<"DOMAIN">.net" to point to my load balancer and then I updated my ingress_controller:
cat ingress_nginx_svc.yaml
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
service.beta.kubernetes.io/do-loadbalancer-hostname: "workaround.<DOMAIN>.net"
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/version: 1.0.4
helm.sh/chart: ingress-nginx-4.0.6
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
externalTrafficPolicy: Cluster
ports:
- appProtocol: http
name: http
nodePort: 31799
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
nodePort: 32533
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: LoadBalancer
kubectl apply -f ingress_nginx_svc.yaml
Then you should see something like this
# kubectl describe certificate
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 15m cert-manager Issuing certificate as Secret does not exist
Normal Generated 15m cert-manager Stored new private key in temporary Secret resource "quickstart-example-tls-zj57f"
Normal Requested 15m cert-manager Created new CertificateRequest resource "quickstart-example-tls-gc599"
Normal Issuing 8m3s cert-manager Issuing certificate as Secret was previously issued by Issuer.cert-manager.io/letsencrypt-staging
Normal Reused 8m2s cert-manager Reusing private key stored in existing Secret resource "quickstart-example-tls"
Normal Requested 8m2s cert-manager Created new CertificateRequest resource "quickstart-example-tls-55xcw"
Normal Issuing 7m33s (x2 over 11m) cert-manager The certificate has been successfully issued
That solved my problem! Thanks again #Rychu for pointing me to that

No valid certificates for cert-manager in k8s. Pending order

For some reason my certificates cannot be applied to my k8s cluster. I can see that general traffic flow is running, ie. using http my site is up and running.
I'm using:
kubernetes 1.22
cert-manager 1.6.1
My ingress file looks like this:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web
namespace: web
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-production"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.org/websocket-services: web
nginx.ingress.kubernetes.io/websocket-services: web
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
spec:
ingressClassName: nginx
tls:
- hosts:
- some.example.com
secretName: example-tls
rules:
- host: some.example.com
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: web
port:
number: 80
Clusterissuer (letsencrypt-production) file is:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
email: services#chimeraprime.com
privateKeySecretRef:
name: letsencrypt-production
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: nginx
status:
acme:
lastRegisteredEmail: email#mycompany.com
uri: https://acme-v02.api.letsencrypt.org/acme/acct/355122560
conditions:
- lastTransitionTime: "2022-01-08T17:45:55Z"
message: The ACME account was registered with the ACME server
observedGeneration: 1
reason: ACMEAccountRegistered
status: "True"
type: Ready
Order is in pending state. Below the info from kubectl describe:
Name: web-web-tls-h4pn7-1463892238
Namespace: web
Labels: <none>
Annotations: cert-manager.io/certificate-name: web-web-tls
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: web-web-tls-pnrb9
API Version: acme.cert-manager.io/v1
Kind: Order
Metadata:
Creation Timestamp: 2022-01-10T21:20:47Z
Generation: 1
Manager: controller
Operation: Update
Time: 2022-01-10T21:20:47Z
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:authorizations:
f:finalizeURL:
f:state:
f:url:
Manager: controller
Operation: Update
Subresource: status
Time: 2022-01-10T21:20:47Z
Owner References:
API Version: cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: CertificateRequest
Name: web-web-tls-h4pn7
UID: 356d2130-bb03-4cba-a751-cff5904b331c
Resource Version: 32432743
UID: 7ae44312-9565-4656-bc71-6a921f8d899f
Spec:
Dns Names:
some.example.com
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt-production
Request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2d6Q0NBV3NDQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9CYwppZGVwS3dibkpQQWJhbnB0M0o4ZXZINisxcmd4N2JPbjdkQm1nR0k1L2QzOFpqVEFuWFRuNkg0QmJyNWxzTWxmCjZpT1MxT1EyWExORFh2Zlc5eENLbmdUbVB2aFdTVTZVMHppSE11bm95RDFIU2JaK3VlZXR3U1VrdDZYaGhCVXUKOC92L1FvU04zQm9OaHNqWjdMSThDMUt5RVU2K1d0TGt6RGNWbHZHdG4wSTNsVXhhTE9tYUEvRGtxYUdEcENMZQpKZmFoS1l4QmdiK004TndrVzVPc3F0T1QydWFMRzBmTVBMWDdJNTlMQXgwSnNsOHg3VzlNZTFZemdYVE5GcTZsCkM1dURpM2x5Z2xZNXdSZTExU1ZBdWpwV2FUWU1pQnl5T1Vway8vRmhIOG43U1B1c2FDaXRTdUV3S0VBU1FDVVIKY1h5T3FnUXUwNkIwT1BCaVBDOENBd0VBQWFBK01Ed0dDU3FHU0liM0RRRUpEakV2TUMwd0hnWURWUjBSQkJjdwpGWUlUWm1sdWEyNHVZMmhwYldWeVlYQnlhUzV0WlRBTEJnTlZIUThFQkFNQ0JhQXdEUVlKS29aSWh2Y05BUUVMCkJRQURnZ0VCQU5ON2VReTd0ZDgySWZoNUJuODBjRGFMcEN5WU9tSjd4RzlQUHJEaEl2RTlLTS8zdzN0WXJFem4KRXIraFczSU15WnY4MnhpYzRhbnFYclBIdEpzcjd4M3ZxVktNcVM5QUhmbGhMVGV4VUhCL0lRTWtkVG5tM3JaOAp3QUpmQUVBY21FU2hQNVpmYWJ3NEJZcWluc2U3Vk5KVWY2Sm94M1dKTGdsUnJSVlJrRVJ5SkR6Vy9oTWEzL085CjZGWkh1eTFGUENQUGRpM0lkZ2wwT0E4ek5yU0IyelloRWp5Q0hId3FPSEFDOEMxeU1vamJQeG5xeThEMlovVlAKWjd6dWlzTHZwU1lzWVdEYldnd3NwTmFHQ09ZM01QZmxtUDFJdzBGOEtlN3BIek1uaHRNUGFwUTV3QWw0SklCOQpJOVpObXBWam5HRXIra3VIYjFWWGhNTGRJcjhyUEZVPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KK
Status:
Authorizations:
Challenges:
Token: MA2X6cC5s4KehiEhNPANFDAEgjzHTgDlh5JVjvqjJ8U
Type: http-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/66966354360/HF2Iag
Token: MA2X6cC5s4KehiEhNPANFDAEgjzHTgDlh5JVjvqjJ8U
Type: dns-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/66966354360/sifuZA
Token: MA2X6cC5s4KehiEhNPANFDAEgjzHTgDlh5JVjvqjJ8U
Type: tls-alpn-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/66966354360/NuJ8Yw
Identifier: some.example.com
Initial State: pending
URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/66966354360
Wildcard: false
Finalize URL: https://acme-v02.api.letsencrypt.org/acme/finalize/355122560/54310290910
State: pending
URL: https://acme-v02.api.letsencrypt.org/acme/order/355122560/54310290910
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 29m cert-manager Created Challenge resource "web-web-tls-h4pn7-1463892238-998650753" for domain "finkn.chimerapri.me"
Created challenge has no state:
Name: web-web-tls-h4pn7-1463892238-998650753
Namespace: web
Labels: <none>
Annotations: <none>
API Version: acme.cert-manager.io/v1
Kind: Challenge
Metadata:
Creation Timestamp: 2022-01-10T21:20:47Z
Finalizers:
finalizer.acme.cert-manager.io
Generation: 1
Manager: controller
Operation: Update
Time: 2022-01-10T21:20:47Z
Owner References:
API Version: acme.cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: Order
Name: web-web-tls-h4pn7-1463892238
UID: 7ae44312-9565-4656-bc71-6a921f8d899g
Resource Version: 32432749
UID: 559a5ce8-d181-423a-9706-6e7532c433ef
Spec:
Authorization URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/66966354360
Dns Name: some.example.com
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt-production
Key: MA2X6cC5s4KehiEhNPANFDAEgjzHTgDlh5JVjvqjJ8U.ZeoVv0hyPHZ3wO-p2vQVZWEvuU3Ti8DQSsrUIGlwP1d
Solver:
http01:
Ingress:
Class: nginx
Token: MA2X6cC5s4KehiEhNPANFDAEgjzHTgDlh5JVjvqjJ8W
Type: HTTP-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/66966354360/HF2Iag
Wildcard: false
Events: <none>
What am I missing here, I've recently upgraded cert-manager from 1.0.1 to 1.6.1 and from then on I'm seeing this kind of issues.
[EDIT] I can see no logs related to this site in cert manager pods logs.

Cert-manager stopped renewing Let'S Encrypt certificates after upgrading to AKS 1.20.7

Our AKS cluster was configured to auto-renew Let's Encrypt certificates through Ingress Cert-Manager annotation and this worked perfectly until we upgraded to AKS 1.20.7. This then stopped working and the certificates started to expire without them being renewed - I double-checked all changes to K8S and CertManager APIs and reviewed all YAML's, but I'm not seeing anything obviously wrong. Would appreciate any pointers.
My understanding is that as long as I add the "cert-manager.io/cluster-issuer: letsencrypt-prod-p9v2" to my ingress - the whole renewal should happen automatically - this is not happening though.
> kubectl cert-manager version
util.Version{GitVersion:"v1.4.0", GitCommit:"5e2a6883c1202739902ac94b5f4884152b810925", GitTreeState:"clean", GoVersion:"go1.16.2", Compiler:"gc", Platform:"linux/amd64"}
AKS version: 1.20.7
cat shipit-ingress-p9v2.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
certmanager.k8s.io/cluster-issuer: letsencrypt-prod-p9v2
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-body-size: 15m
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.org/client-max-body-size: 15m
generation: 4
name: shipit-ingress-p9v2
namespace: supplier
resourceVersion: "147087245"
uid: 6751dbff-83b1-48a1-a467-e75cc843ee79
spec:
rules:
- host: xxx.westeurope.cloudapp.azure.com
http:
paths:
- backend:
service:
name: planet9v2
port:
number: 8080
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- xxx.westeurope.cloudapp.azure.com
secretName: tls-secret-p9v2
status:
loadBalancer:
ingress:
- ip: 10.240.0.5
>>kubectl get clusterissuer -o yaml letsencrypt-prod-p9v2
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
annotations:
creationTimestamp: "2020-05-29T13:31:10Z"
generation: 2
name: letsencrypt-prod-p9v2
resourceVersion: "25493731"
uid: 0e0e46f5-4cdf-42ea-a022-2dfe9ed56ad8
spec:
acme:
email: xxx
http01: {}
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-v02.api.letsencrypt.org/directory
status:
acme:
uri: https://acme-v02.api.letsencrypt.org/acme/acct/76984529
conditions:
- lastTransitionTime: "2020-05-29T13:31:11Z"
message: The ACME account was registered with the ACME server
reason: ACMEAccountRegistered
status: "True"
type: Ready
>>kubectl cert-manager inspect secret tls-secret-p9v2
...
Debugging:
Trusted by this computer: no: x509: certificate has expired or is not yet valid: current time 2021-08-24T07:03:32Z is after 2021-08-22T06:40:20Z
CRL Status: No CRL endpoints set
OCSP Status: Cannot check OCSP: error reading OCSP response: ocsp: error from server: unauthorized
kubectl describe secret tls-secret-p9v2
Name: tls-secret-p9v2
Namespace: supplier
Labels: certmanager.k8s.io/certificate-name=tls-secret-p9v2
Annotations: certmanager.k8s.io/alt-names: shipit-dev-p9v2.westeurope.cloudapp.azure.com
certmanager.k8s.io/common-name: shipit-dev-p9v2.westeurope.cloudapp.azure.com
certmanager.k8s.io/ip-sans:
certmanager.k8s.io/issuer-kind: ClusterIssuer
certmanager.k8s.io/issuer-name: letsencrypt-prod-p9v2
Type: kubernetes.io/tls
Data
====
tls.key: 1679 bytes
ca.crt: 0 bytes
tls.crt: 5672 bytes
kubectl get order
NAME STATE AGE
tls-secret-p9v2-4123722043 valid 24d
[(⎈ |shipit-k8s-dev:supplier)]$ k describe order tls-secret-p9v2-4123722043
Name: tls-secret-p9v2-4123722043
Namespace: supplier
Labels: acme.cert-manager.io/certificate-name=tls-secret-p9v2
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Order
Metadata:
Creation Timestamp: 2021-07-31T04:12:42Z
Generation: 4
Managed Fields:
API Version: certmanager.k8s.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.:
f:acme.cert-manager.io/certificate-name:
f:ownerReferences:
.:
k:{"uid":"a1dec741-0fe7-42be-99d2-176c3d4cdf38"}:
.:
f:apiVersion:
f:blockOwnerDeletion:
f:controller:
f:kind:
f:name:
f:uid:
f:spec:
.:
f:config:
f:csr:
f:dnsNames:
f:issuerRef:
.:
f:kind:
f:name:
f:status:
.:
f:certificate:
f:challenges:
f:finalizeURL:
f:state:
f:url:
Manager: jetstack-cert-manager
Operation: Update
Time: 2021-07-31T04:13:09Z
Owner References:
API Version: certmanager.k8s.io/v1alpha1
Block Owner Deletion: true
Controller: true
Kind: Certificate
Name: tls-secret-p9v2
UID: a1dec741-0fe7-42be-99d2-176c3d4cdf38
Resource Version: 143545958
UID: a646985b-6d44-4c99-bb39-ceb6c4919047
Spec:
Config:
Domains:
shipit-dev-p9v2.westeurope.cloudapp.azure.com
http01:
Ingress Class: nginx
Csr: MIIC3zCCAccCAQAwTzEVMBMGA1UEChMMY2VydC1tYW5hZ2VyMTYwNAYDVQQDEy1zaGlwaXQtZGV2LXA5djIud2VzdGV1cm9wZS5jbG91ZGFwcC5henVyZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdqF08foRx7qVCU4YpVLHxodqMJp1h10l0s89MUVK7C2IWwHdQ5w2BjUB12gT6T6NK9ZhJEzzYtLk18wFAojKUOFjuwF5Kklh+Qe6rFiZNNJ2+uDN/WhCLylbsXjHzQ+N3XMZ0jhGv+72XQyeK/X8jurMmVk5dSZbYP0ysk7w7gSFjjpeN2EIpYcnp2rCjTU+ksfeJ04DDm84hN9snMpGKspIhTFBphCQQgScPO9Fx+S5NVG/ScoM0CLSYiQVB0oPYUaw84O/lNC7kq/UWERli2pNy9Gnxdw2g37nFTj2uvPGGbPE1WBTFtdzkFWMepaw1l25X1//Nsap3zuZY0C3jAgMBAAGgSzBJBgkqhkiG9w0BCQ4xPDA6MDgGA1UdEQQxMC+CLXNoaXBpdC1kZXYtcDl2Mi53ZXN0ZXVyb3BlLmNsb3VkYXBwLmF6dXJlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAWEqfGuYcgf2ujby+K9MK+9q/r0cajo4q0JM6ZkBQQGb88b/nwxa7sr4n7hnlpKhXdLPp5QoeBMr3UM7Nwc7PrYxOws9v51mq3ekUOARgO4/4eJw4agFf8KKQLjtkFr2Q3OFJp6GuYKDCo2+Z1jqs76v7ReKlBoVhMtxOkjykQJheFQzg7ezGshE5trXh3NL/FaaThp1vP+qp8nDnq1YXkvOyaoc7u4X2sl831FTPcv3tsQJJzrOPlZPUJcgCC9cZiCTwqdttaJFRobTEGSk+pzc54C6eRQv9muto8D29Eg2G9f9xDSJULT6WbZWL6gzbJ/5pu3ep+V+cB43f5H+Sqg==
Dns Names:
shipit-dev-p9v2.westeurope.cloudapp.azure.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod-p9v2
Status:
Certificate: LS0tLS1CRUdJTiBDRVJUSUZJ.....
Challenges:
Authz URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/17660284180
Config:
http01:
Ingress Class: nginx
Dns Name: shipit-dev-p9v2.westeurope.cloudapp.azure.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod-p9v2
Key: AxP1pv5I087QVyKXIkGyT5pqlD4Aa-UYmJHAOgzHPu4.mIcOL5pBlkZJSpSUslpjJTC_hFunxNRCEA82VcfFAHE
Token: AxP1pv5I087QVyKXIkGyT5pqlD4Aa-UYmJHAOgzHPu4
Type: http-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/17660284180/Sh057Q
Wildcard: false
Finalize URL: https://acme-v02.api.letsencrypt.org/acme/finalize/75003870/13444902230
State: valid
URL: https://acme-v02.api.letsencrypt.org/acme/order/75003870/13444902230
Events: <none>

i was facing the same issue, updating the version of Cert-manager resolved the issue.
i was not on AKS but was using the GKE and i upgraded to the 1.5 cert-manager releases.
Currently as of now supported releases are the : 1.5 & 1.6
Releases
Refer this Document
Based on my understanding Cert-manger stop supporting old release and support only the latest 2 releases.
i upgraded to 1.5 and issue got resolved.

In my case had had to update the issuer yaml file. Before the update I had to change the apiVersion to cert-mamanager.io/v1.
After apply the issuer yaml file, my certificates were automaticly renewed.

Cert-Manager dns01 challenge order pending

Followed steps mentioned at https://cert-manager.io/docs/installation/kubernetes/
# Kubernetes 1.16+
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.3/cert-manager.yaml
$ kubectl -n cert-manager get pods
NAME READY STATUS RESTARTS AGE
cert-manager-958cb7d4d-m62xm 1/1 Running 0 137m
cert-manager-cainjector-8495f7f6c9-56ck6 1/1 Running 0 137m
cert-manager-webhook-5dcdfbd9d4-6mw74 1/1 Running 0 137m
ClusterIssuer
% kubectl -n cert-manager describe ClusterIssuer letsencrypt
Name: letsencrypt
Namespace:
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"cert-manager.io/v1alpha2","kind":"ClusterIssuer","metadata":{"annotations":{},"name":"letsencrypt"},"spec":{"acme":{"email"...
API Version: cert-manager.io/v1
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2020-10-21T17:31:16Z
Generation: 1
Resource Version: 120254050
Self Link: /apis/cert-manager.io/v1/clusterissuers/letsencrypt
UID: fe54ce07-61be-446f-9db1-4745b742ac71
Spec:
Acme:
Email: admin#example.com
Preferred Chain:
Private Key Secret Ref:
Name: letsencrypt-test-key
Server: https://acme-v02.api.letsencrypt.org/directory
Solvers:
dns01:
route53:
Access Key ID: ####
Hosted Zone ID: ####
Region: us-west-2
Secret Access Key Secret Ref:
Key: secret_key
Name: aws-secret
Selector:
Dns Zones:
example.com
Status:
Acme:
Last Registered Email: admin#example.com
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/98054390
Conditions:
Last Transition Time: 2020-10-21T17:31:16Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
Certificate
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: test-cert
namespace: cert-manager
spec:
commonName: '*.test.example.com'
secretName: test-cert
dnsNames:
- '*.test.example.com'
issuerRef:
name: letsencrypt
kind: ClusterIssuer
$ kubectl -n cert-manager get certificate
NAME READY SECRET AGE
test-cert False test-cert 65m
$ kubectl -n cert-manager describe certificate test-cert
Name: test-cert
Namespace: cert-manager
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"cert-manager.io/v1alpha2","kind":"Certificate","metadata":{"annotations":{},"name":"test-cert","namespace":"cert-manager"},...
API Version: cert-manager.io/v1
Kind: Certificate
Metadata:
Creation Timestamp: 2020-10-21T17:31:23Z
Generation: 1
Resource Version: 120254080
Self Link: /apis/cert-manager.io/v1/namespaces/cert-manager/certificates/test-cert
UID: 82148eee-5f4b-47d7-a09a-407e4d041101
Spec:
Common Name: *.test.example.com
Dns Names:
*.test.example.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt
Secret Name: test-cert
Status:
Conditions:
Last Transition Time: 2020-10-21T17:31:23Z
Message: Issuing certificate as Secret does not exist
Reason: DoesNotExist
Status: False
Type: Ready
Last Transition Time: 2020-10-21T17:31:23Z
Message: Issuing certificate as Secret does not exist
Reason: DoesNotExist
Status: True
Type: Issuing
Next Private Key Secret Name: test-cert-gqhmj
CertificateRequest
$ kubectl -n cert-manager get CertificateRequest
NAME READY AGE
test-cert-zqbwz False 67m
$ kubectl -n cert-manager describe CertificateRequest test-cert-zqbwz
Name: test-cert-zqbwz
Namespace: cert-manager
Labels: <none>
Annotations: cert-manager.io/certificate-name: test-cert
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: test-cert-gqhmj
kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"cert-manager.io/v1alpha2","kind":"Certificate","metadata":{"annotations":{},"name":"test-cert","namespace":"cert-manager"},...
API Version: cert-manager.io/v1
Kind: CertificateRequest
Metadata:
Creation Timestamp: 2020-10-21T17:31:24Z
Generate Name: test-cert-
Generation: 1
Owner References:
API Version: cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: Certificate
Name: test-cert
UID: 82148eee-5f4b-47d7-a09a-407e4d041101
Resource Version: 120254090
Self Link: /apis/cert-manager.io/v1/namespaces/cert-manager/certificaterequests/test-cert-zqbwz
UID: bb9d218d-084d-40a5-8f83-46ca5ac4f70a
Spec:
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt
Request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSR...Q0FURSBSRVFVRVNULS0tLS0K
Status:
Conditions:
Last Transition Time: 2020-10-21T17:31:24Z
Message: Waiting on certificate issuance from order cert-manager/test-cert-zqbwz-2027085711: "pending"
Reason: Pending
Status: False
Type: Ready
Events: <none>
Order :
$ kubectl -n cert-manager get order
NAME STATE AGE
test-cert-zqbwz-2027085711 pending 68m
$ kubectl -n cert-manager describe order test-cert-zqbwz-2027085711
Name: test-cert-zqbwz-2027085711
Namespace: cert-manager
Labels: <none>
Annotations: cert-manager.io/certificate-name: test-cert
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: test-cert-gqhmj
kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"cert-manager.io/v1alpha2","kind":"Certificate","metadata":{"annotations":{},"name":"test-cert","namespace":"cert-manager"},...
API Version: acme.cert-manager.io/v1
Kind: Order
Metadata:
Creation Timestamp: 2020-10-21T17:31:24Z
Generation: 1
Owner References:
API Version: cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: CertificateRequest
Name: test-cert-zqbwz
UID: bb9d218d-084d-40a5-8f83-46ca5ac4f70a
Resource Version: 120254091
Self Link: /apis/acme.cert-manager.io/v1/namespaces/cert-manager/orders/test-cert-zqbwz-2027085711
UID: 622c3ce4-fa2f-484f-a280-c125e09e37d3
Spec:
Common Name: *.test.example.com
Dns Names:
*.test.example.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt
Request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBS...USUZJQ0FURSBSRVFVRVNULS0tLS0K
Status:
Authorizations:
Challenges:
Token: QCbSEvy4g6wIHpcOyU4UkIES9TtBoKMuOOyYNVsJ13w
Type: dns-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/8048950916/RQu94g
Identifier: test.example.com
Initial State: pending
URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8048950916
Wildcard: true
Finalize URL: https://acme-v02.api.letsencrypt.org/acme/finalize/68054360/5803374286
State: pending
URL: https://acme-v02.api.letsencrypt.org/acme/order/68054360/5803374286
Events: <none>
Events: <none>
Why certificate order is pending state, in Route53 I do see TXT for _acme-challenge.test.example.com is created
Whats I am missing in my setup here ?

Probably the same situation
Waiting on certificate issuance from order status "pending"

Cert Manager Challenge Pending Kubernetes

I have it working on one site application I already set up and now I am just trying to replicate the exact same thing for a different site/domain in another namespace.
So staging.correct.com is my working https domain
and staging.example.com is my not working https domain (http works - just not https)
When I do the following it shows 3 certs, the working one for correct and then 2 for the example.com when it should only have one for example:
kubectl get -A certificate
correct staging-correct-com True staging-correct-com-tls 10d
example staging-example-com False staging-example-com-tls 16h
example staging-example-website-com False staging-example-com-tls 17h
When I do:
kubectl get -A certificaterequests
It shows 2 certificate requests for the example
example staging-example-com-nl46v False 15h
example staging-example-website-com-plhqb False 15h
When I do:
kubectl get ingressroute -A
NAMESPACE NAME AGE
correct correct-ingress-route 10d
correct correct-secure-ingress-route 6d22h
kube-system traefik-dashboard 26d
example example-website-ingress-route 15h
example example-website-secure-ingress-route 15h
routing dashboard 29d
routing traefik-dashboard 6d21h
When I do:
kubectl get secrets -A (just showing the relevant ones)
correct default-token-bphcm kubernetes.io/service-account-token
correct staging-correct-com-tls kubernetes.io/tls
example default-token-wx9tx kubernetes.io/service-account-token
example staging-example-com-tls Opaque
example staging-example-com-wf224 Opaque
example staging-example-website-com-rzrvw Opaque
Logs from cert manager pod:
1 ingress.go:91] cert-manager/controller/challenges/http01/selfCheck/http01/ensureIngress "msg"="found one existing HTTP01 solver ingress" "dnsName"="staging.example.com" "related_resource_kind"="Ingress" "related_resource_name"="cm-acme-http-solver-bqjsj" "related_resource_namespace”=“example” "related_resource_version"="v1beta1" "resource_kind"="Challenge" "resource_name"="staging-example-com-ltjl6-1661100417-771202110" "resource_namespace”=“example” "resource_version"="v1" "type"="HTTP-01"
When I do:
kubectl get challenge -A
example staging-example-com-nl46v-1661100417-2848337980 staging.example.com 15h
example staging-example-website-com-plhqb-26564845-3987262508 pending staging.example.com
When I do: kubectl get order -A
NAMESPACE NAME STATE AGE
example staging-example-com-nl46v-1661100417 pending 17h
example staging-example-website-com-plhqb-26564845 pending 17h
My yml files:
My ingress route:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: example
name: example-website-ingress-route
annotations:
kubernetes.io/ingress.class: "traefik"
cert-manager.io/issuer: example-issuer-staging
traefik.ingress.kubernetes.io/router.entrypoints: web
traefik.frontend.redirect.entryPoint: https
spec:
entryPoints:
- web
routes:
- match: Host(`staging.example.com`)
middlewares:
- name: https-only
kind: Rule
services:
- name: example-website
namespace: example
port: 80
my issuer:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: example-issuer-staging
namespace: example
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: example#example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: staging-example-com-tls
# Enable the HTTP-01 challenge provider
solvers:
# An empty 'selector' means that this solver matches all domains
- http01:
ingress:
class: traefik
my middleware:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: https-only
namespace: example
spec:
redirectScheme:
scheme: https
permanent: true
my secure ingress route:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: example
name: example-website-secure-ingress-route
annotations:
kubernetes.io/ingress.class: "traefik"
cert-manager.io/issuer: example-issuer-staging
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.frontend.redirect.entryPoint: https
spec:
entryPoints:
- websecure
routes:
- match: Host(`staging.example.com`)
kind: Rule
services:
- name: example-website
namespace: example
port: 80
tls:
domains:
- main: staging.example.com
options:
namespace: example
secretName: staging-example-com-tls
my service:
apiVersion: v1
kind: Service
metadata:
namespace: example
name: 'example-website'
spec:
type: ClusterIP
ports:
- protocol: TCP
name: http
port: 80
targetPort: 80
- protocol: TCP
name: https
port: 443
targetPort: 80
selector:
app: 'example-website'
my solver:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: staging-example-com
namespace: example
spec:
secretName: staging-example-com-tls
issuerRef:
name: example-issuer-staging
kind: Issuer
commonName: staging.example.com
dnsNames:
- staging.example.com
my app:
apiVersion: apps/v1
kind: ReplicaSet
metadata:
namespace: example
name: 'example-website'
labels:
app: 'example-website'
tier: 'frontend'
spec:
replicas: 1
selector:
matchLabels:
app: 'example-website'
template:
metadata:
labels:
app: 'example-website'
spec:
containers:
- name: example-website-container
image: richarvey/nginx-php-fpm:1.10.3
imagePullPolicy: Always
env:
- name: SSH_KEY
value: 'secret'
- name: GIT_REPO
value: 'url of source code for site'
- name: GIT_EMAIL
value: 'example#example.com'
- name: GIT_NAME
value: 'example'
ports:
- containerPort: 80
How can I delete all these secrets, orders, certificates and stuff in the example namespace and try again? Does cert-manager let you do this without restarting them continuously?
EDIT:
I deleted the namespace and redeployed, then:
kubectl describe certificates staging-example-com -n example
Spec:
Common Name: staging.example.com
Dns Names:
staging.example.com
Issuer Ref:
Kind: Issuer
Name: example-issuer-staging
Secret Name: staging-example-com-tls
Status:
Conditions:
Last Transition Time: 2020-09-26T21:25:06Z
Message: Issuing certificate as Secret does not contain a certificate
Reason: MissingData
Status: False
Type: Ready
Last Transition Time: 2020-09-26T21:25:07Z
Message: Issuing certificate as Secret does not exist
Reason: DoesNotExist
Status: True
Type: Issuing
Next Private Key Secret Name: staging-example-com-gnbl4
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 3m10s cert-manager Issuing certificate as Secret does not exist
Normal Reused 3m10s cert-manager Reusing private key stored in existing Secret resource "staging-example-com-tls"
Normal Requested 3m9s cert-manager Created new CertificateRequest resource "staging-example-com-qrtfx"
So then I did:
kubectl describe certificaterequest staging-example-com-qrtfx -n example
Status:
Conditions:
Last Transition Time: 2020-09-26T21:25:10Z
Message: Waiting on certificate issuance from order example/staging-example-com-qrtfx-1661100417: "pending"
Reason: Pending
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 8m17s cert-manager Created Order resource example/staging-example-com-qrtfx-1661100417
Normal OrderPending 8m17s cert-manager Waiting on certificate issuance from order example/staging-example-com-qrtfx-1661100417: ""
So I did:
kubectl describe challenges staging-example-com-qrtfx-1661100417 -n example
Status:
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: wrong status code '404', expected '200'
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 11m cert-manager Challenge scheduled for processing
Normal Presented 11m cert-manager Presented challenge using HTTP-01 challenge mechanism

I figured it out. The issue seems to be that IngressRoute (which is used in traefik) does not work with cert mananger. I just deployed this file, then the http check was confirmed, then I could delete it again. Hope this helps others with same issue.
Seems cert manager does support IngressRoute which is in Traefik? I opened the issue here so let's see what they say: https://github.com/jetstack/cert-manager/issues/3325
kubectl apply -f example-ingress.yml
File:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
namespace: example
name: example-ingress
annotations:
kubernetes.io/ingress.class: "traefik"
cert-manager.io/issuer: example-issuer-staging
spec:
rules:
- host: staging.example.com
http:
paths:
- path: /
backend:
serviceName: example-website
servicePort: 80
tls:
- hosts:
- staging.example.com
secretName: staging-example-com-tls