We Keep Coding

Digital Ocean Kubernetes: Cert-Manager Certificate creation stuck at Created new CertificateRequest resource

I am following this tutorial to use a trusted TLS certificate in my ingress rules. All works, however
kubectl describe certificate quickstart-example-tls
gives & gets stuck at Created new CertificateRequest resource
....
Status:
Conditions:
Last Transition Time: 2022-02-08T10:00:01Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: False
Type: Ready
Last Transition Time: 2022-02-08T10:00:02Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: True
Type: Issuing
Next Private Key Secret Name: quickstart-example-tls-d87r6
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 21m cert-manager Issuing certificate as Secret does not exist
Normal Generated 21m cert-manager Stored new private key in temporary Secret resource "quickstart-example-tls-d87r6"
Normal Requested 21m cert-manager Created new CertificateRequest resource "quickstart-example-tls-kxwqd"
First let me share my ingress rules and Issuers:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: flask-ingress
spec:
ingressClassName: nginx
rules:
- host: www.<Domain>.net
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: flask
port:
number: 5000
I set up DNS (in digital ocean) rules so curling (via web) works.
curl "http://www.<Domain>.net"
<p>Hello, World!</p>%
Here my issuer file:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
namespace: default
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: <MY-EMAIL>
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
# kubectl get issuer
NAME READY AGE
letsencrypt-staging True 26s
Now I update my ingress rule and start the challenge:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: flask-ingress
annotations:
cert-manager.io/issuer: letsencrypt-staging
spec:
tls:
- hosts:
- www.<DOMAIN>.net
secretName: quickstart-example-tls
ingressClassName: nginx
rules:
- host: www.<DOMAIN>.net
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: flask
port:
number: 5000
#kubectl get certificate
NAME READY SECRET AGE
quickstart-example-tls False quickstart-example-tls 88s
Here the detailed output:
#kubectl describe certificate quickstart-example-tls
Name: quickstart-example-tls
Namespace: default
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1
Kind: Certificate
Metadata:
Creation Timestamp: 2022-02-08T10:34:40Z
Generation: 1
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:ownerReferences:
.:
k:{"uid":"<UID>"}:
.:
f:apiVersion:
f:blockOwnerDeletion:
f:controller:
f:kind:
f:name:
f:uid:
f:spec:
.:
f:dnsNames:
f:issuerRef:
.:
f:group:
f:kind:
f:name:
f:secretName:
f:usages:
f:status:
.:
f:conditions:
f:nextPrivateKeySecretName:
Manager: controller
Operation: Update
Time: 2022-02-08T10:34:41Z
Owner References:
API Version: networking.k8s.io/v1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: flask-ingress
UID: <UID>
Resource Version: 321990
UID: <UID>
Spec:
Dns Names:
www.<DOMAIN>.net
Issuer Ref:
Group: cert-manager.io
Kind: Issuer
Name: letsencrypt-staging
Secret Name: quickstart-example-tls
Usages:
digital signature
key encipherment
Status:
Conditions:
Last Transition Time: 2022-02-08T10:34:40Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: True
Type: Issuing
Last Transition Time: 2022-02-08T10:34:40Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: False
Type: Ready
Next Private Key Secret Name: quickstart-example-tls-w4psf
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 2m14s cert-manager Issuing certificate as Secret does not exist
Normal Generated 2m13s cert-manager Stored new private key in temporary Secret resource "quickstart-example-tls-w4psf"
Normal Requested 2m13s cert-manager Created new CertificateRequest resource "quickstart-example-tls-znhlv"
So this is were things get stucked and IDK why.
# kubectl describe certificaterequest quickstart-example-tls
Name: quickstart-example-tls-znhlv
Namespace: default
Labels: <none>
Annotations: cert-manager.io/certificate-name: quickstart-example-tls
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: quickstart-example-tls-w4psf
API Version: cert-manager.io/v1
Kind: CertificateRequest
Metadata:
Creation Timestamp: 2022-02-08T10:34:41Z
Generate Name: quickstart-example-tls-
Generation: 1
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:cert-manager.io/certificate-name:
f:cert-manager.io/certificate-revision:
f:cert-manager.io/private-key-secret-name:
f:generateName:
f:ownerReferences:
.:
k:{"uid":"<UID>"}:
.:
f:apiVersion:
f:blockOwnerDeletion:
f:controller:
f:kind:
f:name:
f:uid:
f:spec:
.:
f:issuerRef:
.:
f:group:
f:kind:
f:name:
f:request:
f:usages:
f:status:
.:
f:conditions:
Manager: controller
Operation: Update
Time: 2022-02-08T10:34:41Z
Owner References:
API Version: cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: Certificate
Name: quickstart-example-tls
UID: <UID>
Resource Version: 322003
UID: <UID>
Spec:
Extra:
authentication.kubernetes.io/pod-name:
cert-manager-6d8d028374dbb-f43n7
authentication.kubernetes.io/pod-uid:
<UID>
Groups:
system:serviceaccounts
system:serviceaccounts:cert-manager
system:authenticated
Issuer Ref:
Group: cert-manager.io
Kind: Issuer
Name: letsencrypt-staging
Request: <Request ID>
UID: <UID>
Usages:
digital signature
key encipherment
Username: system:serviceaccount:cert-manager:cert-manager
Status:
Conditions:
Last Transition Time: 2022-02-08T10:34:41Z
Message: Certificate request has been approved by cert-manager.io
Reason: cert-manager.io
Status: True
Type: Approved
Last Transition Time: 2022-02-08T10:34:43Z
Message: Waiting on certificate issuance from order default/quickstart-example-tls-znhlv-138543614: "pending"
Reason: Pending
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal cert-manager.io 4m54s cert-manager Certificate request has been approved by cert-manager.io
Normal OrderCreated 4m53s cert-manager Created Order resource default/quickstart-example-tls-znhlv-138543614
Having a look at the challenge, all seems to work.
# kubectl describe challenges --all-namespaces
Name: quickstart-example-tls-znhlv-138543614-1891152753
Namespace: default
Labels: <none>
Annotations: <none>
API Version: acme.cert-manager.io/v1
Kind: Challenge
Metadata:
Creation Timestamp: 2022-02-08T10:34:44Z
Finalizers:
finalizer.acme.cert-manager.io
Generation: 1
Managed Fields:
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:finalizers:
.:
v:"finalizer.acme.cert-manager.io":
f:ownerReferences:
.:
k:{"uid":"<UID>"}:
.:
f:apiVersion:
f:blockOwnerDeletion:
f:controller:
f:kind:
f:name:
f:uid:
f:spec:
.:
f:authorizationURL:
f:dnsName:
f:issuerRef:
.:
f:group:
f:kind:
f:name:
f:key:
f:solver:
.:
f:http01:
.:
f:ingress:
.:
f:class:
f:token:
f:type:
f:url:
f:wildcard:
f:status:
.:
f:presented:
f:processing:
f:reason:
f:state:
Manager: controller
Operation: Update
Time: 2022-02-08T10:34:46Z
Owner References:
API Version: acme.cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: Order
Name: quickstart-example-tls-znhlv-138543614
UID: <UID>
Resource Version: 322038
UID: <UID>
Spec:
Authorization URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/<NR>
Dns Name: www.<DOMAIN>.net
Issuer Ref:
Group: cert-manager.io
Kind: Issuer
Name: letsencrypt-staging
Key: <SOMEKEY>
Solver:
http01:
Ingress:
Class: nginx
Token: <SOMEToken>
Type: HTTP-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/<NR>/<CODE>
Wildcard: false
Status:
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://www.<DOMAIN>.net/.well-known/acme-challenge/<SOMEToken>': Get "http://www.<DOMAIN>.net/.well-known/acme-challenge/<SOMEToken>": EOF
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 6m18s cert-manager Challenge scheduled for processing
Normal Presented 6m17s cert-manager Presented challenge using HTTP-01 challenge mechanism
#curl "http://www.<DOMAIN>.net/.well-known/acme-challenge/<SOMEToken>"
<SOMEKEY>%
All seems to be fine, but I do not get the certificate?
A couple of additional things:
I use digital ocean managed kubernetes 1.21
I installed ingress-nginx via UI in digital ocean to namespace ingress-nginx
I use cert-manager 1.7
#kubectl get pods -n cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-6d8d6b5dbb-f4xn7 1/1 Running 0 47h
cert-manager-cainjector-d6cbc4d9-g6j8c 1/1 Running 0 47h
cert-manager-webhook-85fb68c79b-sv8pb 1/1 Running 0 47h
Looking add the logs from cert-manager, I get that get request failed although it works actually.
# kubectl logs cert-manager-6d8d6b5dbb-f4xn7 -n cert-manager
E0208 15:07:31.660877 1 sync.go:186] cert-manager/challenges "msg"="propagation check failed" "error"="failed to perform self check GET request 'http://www.<DOMAIN>.net/.well-known/acme-challenge/<SOMEToken>': Get \"http://www.<DOMAIN>.net/.well-known/acme-challenge/<SOMEToken>\": EOF" "dnsName"="www.<DOMAIN>.net" "resource_kind"="Challenge" "resource_name"="quickstart-example-tls-znhlv-138543614-1891152753" "resource_namespace"="default" "resource_version"="v1" "type"="HTTP-01"

#Rychu linked me to the answer here. This goes also back to this post step 5
For my case I did
Added a DNS entry on digital ocean for "workaround.<"DOMAIN">.net" to point to my load balancer and then I updated my ingress_controller:
cat ingress_nginx_svc.yaml
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
service.beta.kubernetes.io/do-loadbalancer-hostname: "workaround.<DOMAIN>.net"
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/version: 1.0.4
helm.sh/chart: ingress-nginx-4.0.6
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
externalTrafficPolicy: Cluster
ports:
- appProtocol: http
name: http
nodePort: 31799
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
nodePort: 32533
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: LoadBalancer
kubectl apply -f ingress_nginx_svc.yaml
Then you should see something like this
# kubectl describe certificate
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 15m cert-manager Issuing certificate as Secret does not exist
Normal Generated 15m cert-manager Stored new private key in temporary Secret resource "quickstart-example-tls-zj57f"
Normal Requested 15m cert-manager Created new CertificateRequest resource "quickstart-example-tls-gc599"
Normal Issuing 8m3s cert-manager Issuing certificate as Secret was previously issued by Issuer.cert-manager.io/letsencrypt-staging
Normal Reused 8m2s cert-manager Reusing private key stored in existing Secret resource "quickstart-example-tls"
Normal Requested 8m2s cert-manager Created new CertificateRequest resource "quickstart-example-tls-55xcw"
Normal Issuing 7m33s (x2 over 11m) cert-manager The certificate has been successfully issued
That solved my problem! Thanks again #Rychu for pointing me to that

No valid certificates for cert-manager in k8s. Pending order

For some reason my certificates cannot be applied to my k8s cluster. I can see that general traffic flow is running, ie. using http my site is up and running.
I'm using:
kubernetes 1.22
cert-manager 1.6.1
My ingress file looks like this:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web
namespace: web
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-production"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.org/websocket-services: web
nginx.ingress.kubernetes.io/websocket-services: web
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
spec:
ingressClassName: nginx
tls:
- hosts:
- some.example.com
secretName: example-tls
rules:
- host: some.example.com
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: web
port:
number: 80
Clusterissuer (letsencrypt-production) file is:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
email: services#chimeraprime.com
privateKeySecretRef:
name: letsencrypt-production
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: nginx
status:
acme:
lastRegisteredEmail: email#mycompany.com
uri: https://acme-v02.api.letsencrypt.org/acme/acct/355122560
conditions:
- lastTransitionTime: "2022-01-08T17:45:55Z"
message: The ACME account was registered with the ACME server
observedGeneration: 1
reason: ACMEAccountRegistered
status: "True"
type: Ready
Order is in pending state. Below the info from kubectl describe:
Name: web-web-tls-h4pn7-1463892238
Namespace: web
Labels: <none>
Annotations: cert-manager.io/certificate-name: web-web-tls
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: web-web-tls-pnrb9
API Version: acme.cert-manager.io/v1
Kind: Order
Metadata:
Creation Timestamp: 2022-01-10T21:20:47Z
Generation: 1
Manager: controller
Operation: Update
Time: 2022-01-10T21:20:47Z
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:authorizations:
f:finalizeURL:
f:state:
f:url:
Manager: controller
Operation: Update
Subresource: status
Time: 2022-01-10T21:20:47Z
Owner References:
API Version: cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: CertificateRequest
Name: web-web-tls-h4pn7
UID: 356d2130-bb03-4cba-a751-cff5904b331c
Resource Version: 32432743
UID: 7ae44312-9565-4656-bc71-6a921f8d899f
Spec:
Dns Names:
some.example.com
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt-production
Request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2d6Q0NBV3NDQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9CYwppZGVwS3dibkpQQWJhbnB0M0o4ZXZINisxcmd4N2JPbjdkQm1nR0k1L2QzOFpqVEFuWFRuNkg0QmJyNWxzTWxmCjZpT1MxT1EyWExORFh2Zlc5eENLbmdUbVB2aFdTVTZVMHppSE11bm95RDFIU2JaK3VlZXR3U1VrdDZYaGhCVXUKOC92L1FvU04zQm9OaHNqWjdMSThDMUt5RVU2K1d0TGt6RGNWbHZHdG4wSTNsVXhhTE9tYUEvRGtxYUdEcENMZQpKZmFoS1l4QmdiK004TndrVzVPc3F0T1QydWFMRzBmTVBMWDdJNTlMQXgwSnNsOHg3VzlNZTFZemdYVE5GcTZsCkM1dURpM2x5Z2xZNXdSZTExU1ZBdWpwV2FUWU1pQnl5T1Vway8vRmhIOG43U1B1c2FDaXRTdUV3S0VBU1FDVVIKY1h5T3FnUXUwNkIwT1BCaVBDOENBd0VBQWFBK01Ed0dDU3FHU0liM0RRRUpEakV2TUMwd0hnWURWUjBSQkJjdwpGWUlUWm1sdWEyNHVZMmhwYldWeVlYQnlhUzV0WlRBTEJnTlZIUThFQkFNQ0JhQXdEUVlKS29aSWh2Y05BUUVMCkJRQURnZ0VCQU5ON2VReTd0ZDgySWZoNUJuODBjRGFMcEN5WU9tSjd4RzlQUHJEaEl2RTlLTS8zdzN0WXJFem4KRXIraFczSU15WnY4MnhpYzRhbnFYclBIdEpzcjd4M3ZxVktNcVM5QUhmbGhMVGV4VUhCL0lRTWtkVG5tM3JaOAp3QUpmQUVBY21FU2hQNVpmYWJ3NEJZcWluc2U3Vk5KVWY2Sm94M1dKTGdsUnJSVlJrRVJ5SkR6Vy9oTWEzL085CjZGWkh1eTFGUENQUGRpM0lkZ2wwT0E4ek5yU0IyelloRWp5Q0hId3FPSEFDOEMxeU1vamJQeG5xeThEMlovVlAKWjd6dWlzTHZwU1lzWVdEYldnd3NwTmFHQ09ZM01QZmxtUDFJdzBGOEtlN3BIek1uaHRNUGFwUTV3QWw0SklCOQpJOVpObXBWam5HRXIra3VIYjFWWGhNTGRJcjhyUEZVPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KK
Status:
Authorizations:
Challenges:
Token: MA2X6cC5s4KehiEhNPANFDAEgjzHTgDlh5JVjvqjJ8U
Type: http-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/66966354360/HF2Iag
Token: MA2X6cC5s4KehiEhNPANFDAEgjzHTgDlh5JVjvqjJ8U
Type: dns-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/66966354360/sifuZA
Token: MA2X6cC5s4KehiEhNPANFDAEgjzHTgDlh5JVjvqjJ8U
Type: tls-alpn-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/66966354360/NuJ8Yw
Identifier: some.example.com
Initial State: pending
URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/66966354360
Wildcard: false
Finalize URL: https://acme-v02.api.letsencrypt.org/acme/finalize/355122560/54310290910
State: pending
URL: https://acme-v02.api.letsencrypt.org/acme/order/355122560/54310290910
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 29m cert-manager Created Challenge resource "web-web-tls-h4pn7-1463892238-998650753" for domain "finkn.chimerapri.me"
Created challenge has no state:
Name: web-web-tls-h4pn7-1463892238-998650753
Namespace: web
Labels: <none>
Annotations: <none>
API Version: acme.cert-manager.io/v1
Kind: Challenge
Metadata:
Creation Timestamp: 2022-01-10T21:20:47Z
Finalizers:
finalizer.acme.cert-manager.io
Generation: 1
Manager: controller
Operation: Update
Time: 2022-01-10T21:20:47Z
Owner References:
API Version: acme.cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: Order
Name: web-web-tls-h4pn7-1463892238
UID: 7ae44312-9565-4656-bc71-6a921f8d899g
Resource Version: 32432749
UID: 559a5ce8-d181-423a-9706-6e7532c433ef
Spec:
Authorization URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/66966354360
Dns Name: some.example.com
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt-production
Key: MA2X6cC5s4KehiEhNPANFDAEgjzHTgDlh5JVjvqjJ8U.ZeoVv0hyPHZ3wO-p2vQVZWEvuU3Ti8DQSsrUIGlwP1d
Solver:
http01:
Ingress:
Class: nginx
Token: MA2X6cC5s4KehiEhNPANFDAEgjzHTgDlh5JVjvqjJ8W
Type: HTTP-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/66966354360/HF2Iag
Wildcard: false
Events: <none>
What am I missing here, I've recently upgraded cert-manager from 1.0.1 to 1.6.1 and from then on I'm seeing this kind of issues.
[EDIT] I can see no logs related to this site in cert manager pods logs.

Error "connect: connection refused" trying to fullfill acme challenge

I am pretty new to k8s and currently I am trying to set up a K8s-Cluster on a baremetal server with a publix IP.
However during the validation process letsencrypt cannot access the cluster. After following the trouble shooting I could find the following error: "Connection refused"
I set up my cluster with kubespray
K8s version: v1.22.4
Cert-Manager:
kubectl create namespace cert-manager
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.yaml
Nginx-Ingress-Controller:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/v1.0.4/deploy/static/provider/baremetal/deploy.yaml
ClusterIssuer:
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-cluster-issuer
#namespace: cert-manager
namespace: default
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: dav#my-company.com
privateKeySecretRef:
name: letsencrypt-cluster-issuer-key
solvers:
- http01:
ingress:
class: nginx
Certificate.yml:
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-app
namespace: default
#namespace: cert-manager
spec:
dnsNames:
- {real-dns}.com
secretName: example-app-tls
issuerRef:
name: letsencrypt-cluster-issuer
#name: letsencrypt-staging
kind: ClusterIssuer
After running kubectl get all -n default, i got
root#node1:~# kubectl get all -n default
NAME READY STATUS RESTARTS AGE
pod/cm-acme-http-solver-2vx5w 1/1 Running 0 8s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/cm-acme-http-solver-gp2f6 NodePort 10.233.13.8 <none> 8089:30158/TCP 8s
service/kubernetes ClusterIP 10.233.0.1 <none> 4
I think maybe the cert-manager could not create an issuer for the service cm-acme-http-solver-gp2f6?
Can someone plase give me a hint, how can I solve the problem?
Many thanks in advance.
Edit:
There is also debug step I tried:
clusterissuer:
root#node1:~# kubectl describe clusterissuer letsencrypt-cluster-
issuer
Name: letsencrypt-cluster-issuer
Namespace:
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2021-12-16T17:35:30Z
Generation: 1
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:spec:
.:
f:acme:
.:
f:email:
f:privateKeySecretRef:
.:
f:name:
f:server:
f:solvers:
Manager: OpenAPI-Generator
Operation: Update
Time: 2021-12-16T17:35:30Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:acme:
.:
f:lastRegisteredEmail:
f:uri:
f:conditions:
Manager: controller
Operation: Update
Time: 2021-12-16T17:35:31Z
Resource Version: 230199
UID: 95d183fb-c50e-49ed-83fb-98ceee0f1b7a
Spec:
Acme:
Email: #######.com
Preferred Chain:
Private Key Secret Ref:
Name: letsencrypt-cluster-issuer-key
Server: https://acme-v02.api.letsencrypt.org/directory
Solvers:
http01:
Ingress:
Class: nginx
Status:
Acme:
Last Registered Email: trang#my-company.com
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/322624000
Conditions:
Last Transition Time: 2021-12-16T17:35:31Z
Message: The ACME account was registered with the
ACME server
Observed Generation: 1
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
CertificateRequest:
root#node1:~# kubectl describe CertificateRequest example-app-w59ng
Name: example-app-w59ng
Namespace: default
Labels: <none>
Annotations: cert-manager.io/certificate-name: example-app
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: example-app-qddzv
API Version: cert-manager.io/v1
Kind: CertificateRequest
Metadata:
Creation Timestamp: 2021-12-22T14:07:00Z
Generate Name: example-app-
Generation: 1
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:conditions:
Manager: controller
Operation: Update
Time: 2021-12-22T14:07:00Z
Owner References:
API Version: cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: Certificate
Name: example-app
UID: 5c47b8a9-c076-4387-b117-bb4b1864448d
Resource Version: 1520892
UID: 2fe3875a-4b4d-4139-bef4-820679f8356e
Spec:
Extra:
authentication.kubernetes.io/pod-name:
cert-manager-7c6f78c46d-8r9n7
authentication.kubernetes.io/pod-uid:
5f7638e9-27e8-4a3f-b149-96e9a88d0c74
Groups:
system:serviceaccounts
system:serviceaccounts:cert-manager
system:authenticated
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-cluster-issuer
Request: [...]
UID: 8dfc1be6-2e0b-4a2e-8087-a274110c4b74
Username: system:serviceaccount:cert-manager:cert-manager
Status:
Conditions:
Last Transition Time: 2021-12-22T14:07:00Z
Message: Certificate request has been approved by cert-manager.io
Reason: cert-manager.io
Status: True
Type: Approved
Last Transition Time: 2021-12-22T14:07:00Z
Message: Waiting on certificate issuance from order default/example-app-w59ng-1045993216: "pending"
Reason: Pending
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal cert-manager.io 4m42s cert-manager Certificate request has been approved by cert-manager.io
Normal OrderCreated 4m42s cert-manager Created Order resource default/example-app-w59ng-1045993216
Order:
root#node1:~# kubectl describe order example-app-w59ng-1045993216
Name: example-app-w59ng-1045993216
Namespace: default
Labels: <none>
Annotations: cert-manager.io/certificate-name: example-app
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: example-app-qddzv
API Version: acme.cert-manager.io/v1
Kind: Order
Metadata:
Creation Timestamp: 2021-12-22T14:07:00Z
Generation: 1
Managed Fields:
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:finalizeURL:
f:state:
f:url:
Manager: controller
Operation: Update
Time: 2021-12-22T14:07:00Z
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:authorizations:
Manager: controller
Operation: Update
Time: 2021-12-22T14:07:00Z
Owner References:
API Version: cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: CertificateRequest
Name: example-app-w59ng
UID: 2fe3875a-4b4d-4139-bef4-820679f8356e
Resource Version: 1520893
UID: 4bb32a01-71ee-43ce-976d-072a718fcc98
Spec:
Dns Names:
###.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-cluster-issuer
Request: [...]
Status:
Authorizations:
Challenges:
Token: rloCCUdQXQx_r9idENjxwXBfPn0DpJ7S8f5Ca5YTZzs
Type: http-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/58799104090/PllHuQ
Token: rloCCUdQXQx_r9idENjxwXBfPn0DpJ7S8f5Ca5YTZzs
Type: dns-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/58799104090/AYdl0A
Token: rloCCUdQXQx_r9idENjxwXBfPn0DpJ7S8f5Ca5YTZzs
Type: tls-alpn-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/58799104090/DRK6xg
Identifier: cranberry-soft.de
Initial State: pending
URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/58799104090
Wildcard: false
Finalize URL: https://acme-v02.api.letsencrypt.org/acme/finalize/322624000/47528833830
State: pending
URL: https://acme-v02.api.letsencrypt.org/acme/order/322624000/47528833830
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 21m cert-manager Created Challenge resource "example-app-w59ng-1045993216-247428591" for domain "###.com"
Challenge:
root#node1:~# kubectl describe Challenge example-app-w59ng-1045993216-247428591
Name: example-app-w59ng-1045993216-247428591
Namespace: default
Labels: <none>
Annotations: <none>
API Version: acme.cert-manager.io/v1
Kind: Challenge
Metadata:
Creation Timestamp: 2021-12-22T14:07:01Z
Finalizers:
finalizer.acme.cert-manager.io
Generation: 1
Managed Fields:
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:presented:
Manager: controller
Operation: Update
Time: 2021-12-22T14:07:02Z
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:reason:
Manager: controller
Operation: Update
Time: 2021-12-22T14:07:02Z
Owner References:
API Version: acme.cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: Order
Name: example-app-w59ng-1045993216
UID: 4bb32a01-71ee-43ce-976d-072a718fcc98
Resource Version: 1520918
UID: 4cde9b13-e7af-4fbb-ac60-b25e977108a3
Spec:
Authorization URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/58799104090
Dns Name: ###.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-cluster-issuer
Key: [...]
Solver:
http01:
Ingress:
Class: nginx
Token: [...]
Type: HTTP-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/58799104090/PllHuQ
Wildcard: false
Status:
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://###.com/.well-known/acme-challenge/rloCCUdQXQx_r9idENjxwXBfPn0DpJ7S8f5Ca5YTZzs': Get "http://###.com/.well-known/acme-challenge/rloCCUdQXQx_r9idENjxwXBfPn0DpJ7S8f5Ca5YTZzs": dial tcp xx.xx.xx.xx:80: connect: connection refused
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 29m cert-manager Challenge scheduled for processing
Normal Presented 29m cert-manager Presented challenge using HTTP-01 challenge mechanism

Ingress and cert manager are not creating certificate

I am trying to deploy ingress-routes in Kubernetes following these guides:
https://cert-manager.io/docs/tutorials/acme/ingress/
https://learn.microsoft.com/en-us/azure/aks/ingress-static-ip
I have deployed a cluster-issuer:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <Myemail>
privateKeySecretRef:
name: letsencrypt
solvers:
- http01:
ingress:
class: nginx
podTemplate:
spec:
nodeSelector:
"kubernetes.io/os": linux
Then I have deployed ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: airflow-ingress
namespace: airflow6
annotations:
kubernetes.io/ingress.class: nginx
certmanager.k8s.io/cluster-issuer: letsencryp
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- <MYhost>
secretName: tls-secret1
rules:
- host: <MYhost>
http:
paths:
- path: /
backend:
serviceName: airflow-web
servicePort: 8080
Then if I try to get the certificate:
kubectl describe certificate tls-secret1 --namespace airflow6
Error from server (NotFound): certificates.cert-manager.io "tls-secret1" not found
I have tried to deploy my own certificate:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: tls-secret1
namespace: airflow6
spec:
secretName: tls-secret1
dnsNames:
- <MYhost>
issuerRef:
name: letsencrypt
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: ClusterIssuer
group: cert-manager.io
Then run the same command:
kubectl describe certificate tls-secret1 --namespace airflow6
Name: tls-secret1
Namespace: airflow6
Labels: <none>
Annotations: API Version: cert-manager.io/v1beta1
Kind: Certificate
Metadata:
Creation Timestamp: 2020-10-12T10:50:25Z
Generation: 1
Resource Version: 9408916
Self Link: /apis/cert-manager.io/v1beta1/namespaces/airflow6/certificates/quickstart-example-tls
UID: 5c4f06e2-bb61-4eed-8999-58540d4055ce
Spec:
Dns Names:
<Myhost>
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt
Secret Name: tls-secret1
Status:
Conditions:
Last Transition Time: 2020-10-12T10:50:25Z
Message: Issuing certificate as Secret does not exist
Reason: DoesNotExist
Status: True
Type: Issuing
Last Transition Time: 2020-10-12T10:50:25Z
Message: Issuing certificate as Secret does not exist
Reason: DoesNotExist
Status: False
Type: Ready
Next Private Key Secret Name: tls-secret1
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 3m8s cert-manager Issuing certificate as Secret does not exist
Normal Requested 3m8s cert-manager Created new CertificateRequest resource "quickstart-example-tls-hl7vk"
Normal Requested <invalid> cert-manager Created new CertificateRequest resource "quickstart-example-tls-vqmbh"
Normal Generated <invalid> (x3 over 3m8s) cert-manager Stored new private key in temporary Secret resource "quickstart-example-tls-fgvn6"
Normal Requested <invalid> cert-manager Created new CertificateRequest resource "quickstart-example-tls-5gg9l"
I don't know if I need to create a secret like this:
apiVersion: v1
kind: Secret
name: example-tls
namespace: foo
data:
tls.crt: <base64 encoded cert>
tls.key: <base64 encoded key>
type: kubernetes.io/tls
But I really don't know what I have to put in tls.crt and tls.key.
In all the guides I have read I saw that when the ingress-routes is deployed automatically a certificate is created but for me is not working, what I am going wrong?

no you are not supposed to create the TLS secret on your own, it's like when you put the secret name in the ingress rule's tls section, then while doing the DNS verification, the secret will be created by issuer itself for the respective namespace in which the ingress rule has been created.
To cross-check on configs created or to create new one, you can refer this
Then you can follow this stack overflow post, it will help you likely

Cert Manager Challenge Pending Kubernetes

I have it working on one site application I already set up and now I am just trying to replicate the exact same thing for a different site/domain in another namespace.
So staging.correct.com is my working https domain
and staging.example.com is my not working https domain (http works - just not https)
When I do the following it shows 3 certs, the working one for correct and then 2 for the example.com when it should only have one for example:
kubectl get -A certificate
correct staging-correct-com True staging-correct-com-tls 10d
example staging-example-com False staging-example-com-tls 16h
example staging-example-website-com False staging-example-com-tls 17h
When I do:
kubectl get -A certificaterequests
It shows 2 certificate requests for the example
example staging-example-com-nl46v False 15h
example staging-example-website-com-plhqb False 15h
When I do:
kubectl get ingressroute -A
NAMESPACE NAME AGE
correct correct-ingress-route 10d
correct correct-secure-ingress-route 6d22h
kube-system traefik-dashboard 26d
example example-website-ingress-route 15h
example example-website-secure-ingress-route 15h
routing dashboard 29d
routing traefik-dashboard 6d21h
When I do:
kubectl get secrets -A (just showing the relevant ones)
correct default-token-bphcm kubernetes.io/service-account-token
correct staging-correct-com-tls kubernetes.io/tls
example default-token-wx9tx kubernetes.io/service-account-token
example staging-example-com-tls Opaque
example staging-example-com-wf224 Opaque
example staging-example-website-com-rzrvw Opaque
Logs from cert manager pod:
1 ingress.go:91] cert-manager/controller/challenges/http01/selfCheck/http01/ensureIngress "msg"="found one existing HTTP01 solver ingress" "dnsName"="staging.example.com" "related_resource_kind"="Ingress" "related_resource_name"="cm-acme-http-solver-bqjsj" "related_resource_namespace”=“example” "related_resource_version"="v1beta1" "resource_kind"="Challenge" "resource_name"="staging-example-com-ltjl6-1661100417-771202110" "resource_namespace”=“example” "resource_version"="v1" "type"="HTTP-01"
When I do:
kubectl get challenge -A
example staging-example-com-nl46v-1661100417-2848337980 staging.example.com 15h
example staging-example-website-com-plhqb-26564845-3987262508 pending staging.example.com
When I do: kubectl get order -A
NAMESPACE NAME STATE AGE
example staging-example-com-nl46v-1661100417 pending 17h
example staging-example-website-com-plhqb-26564845 pending 17h
My yml files:
My ingress route:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: example
name: example-website-ingress-route
annotations:
kubernetes.io/ingress.class: "traefik"
cert-manager.io/issuer: example-issuer-staging
traefik.ingress.kubernetes.io/router.entrypoints: web
traefik.frontend.redirect.entryPoint: https
spec:
entryPoints:
- web
routes:
- match: Host(`staging.example.com`)
middlewares:
- name: https-only
kind: Rule
services:
- name: example-website
namespace: example
port: 80
my issuer:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: example-issuer-staging
namespace: example
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: example#example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: staging-example-com-tls
# Enable the HTTP-01 challenge provider
solvers:
# An empty 'selector' means that this solver matches all domains
- http01:
ingress:
class: traefik
my middleware:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: https-only
namespace: example
spec:
redirectScheme:
scheme: https
permanent: true
my secure ingress route:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: example
name: example-website-secure-ingress-route
annotations:
kubernetes.io/ingress.class: "traefik"
cert-manager.io/issuer: example-issuer-staging
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.frontend.redirect.entryPoint: https
spec:
entryPoints:
- websecure
routes:
- match: Host(`staging.example.com`)
kind: Rule
services:
- name: example-website
namespace: example
port: 80
tls:
domains:
- main: staging.example.com
options:
namespace: example
secretName: staging-example-com-tls
my service:
apiVersion: v1
kind: Service
metadata:
namespace: example
name: 'example-website'
spec:
type: ClusterIP
ports:
- protocol: TCP
name: http
port: 80
targetPort: 80
- protocol: TCP
name: https
port: 443
targetPort: 80
selector:
app: 'example-website'
my solver:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: staging-example-com
namespace: example
spec:
secretName: staging-example-com-tls
issuerRef:
name: example-issuer-staging
kind: Issuer
commonName: staging.example.com
dnsNames:
- staging.example.com
my app:
apiVersion: apps/v1
kind: ReplicaSet
metadata:
namespace: example
name: 'example-website'
labels:
app: 'example-website'
tier: 'frontend'
spec:
replicas: 1
selector:
matchLabels:
app: 'example-website'
template:
metadata:
labels:
app: 'example-website'
spec:
containers:
- name: example-website-container
image: richarvey/nginx-php-fpm:1.10.3
imagePullPolicy: Always
env:
- name: SSH_KEY
value: 'secret'
- name: GIT_REPO
value: 'url of source code for site'
- name: GIT_EMAIL
value: 'example#example.com'
- name: GIT_NAME
value: 'example'
ports:
- containerPort: 80
How can I delete all these secrets, orders, certificates and stuff in the example namespace and try again? Does cert-manager let you do this without restarting them continuously?
EDIT:
I deleted the namespace and redeployed, then:
kubectl describe certificates staging-example-com -n example
Spec:
Common Name: staging.example.com
Dns Names:
staging.example.com
Issuer Ref:
Kind: Issuer
Name: example-issuer-staging
Secret Name: staging-example-com-tls
Status:
Conditions:
Last Transition Time: 2020-09-26T21:25:06Z
Message: Issuing certificate as Secret does not contain a certificate
Reason: MissingData
Status: False
Type: Ready
Last Transition Time: 2020-09-26T21:25:07Z
Message: Issuing certificate as Secret does not exist
Reason: DoesNotExist
Status: True
Type: Issuing
Next Private Key Secret Name: staging-example-com-gnbl4
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 3m10s cert-manager Issuing certificate as Secret does not exist
Normal Reused 3m10s cert-manager Reusing private key stored in existing Secret resource "staging-example-com-tls"
Normal Requested 3m9s cert-manager Created new CertificateRequest resource "staging-example-com-qrtfx"
So then I did:
kubectl describe certificaterequest staging-example-com-qrtfx -n example
Status:
Conditions:
Last Transition Time: 2020-09-26T21:25:10Z
Message: Waiting on certificate issuance from order example/staging-example-com-qrtfx-1661100417: "pending"
Reason: Pending
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 8m17s cert-manager Created Order resource example/staging-example-com-qrtfx-1661100417
Normal OrderPending 8m17s cert-manager Waiting on certificate issuance from order example/staging-example-com-qrtfx-1661100417: ""
So I did:
kubectl describe challenges staging-example-com-qrtfx-1661100417 -n example
Status:
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: wrong status code '404', expected '200'
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 11m cert-manager Challenge scheduled for processing
Normal Presented 11m cert-manager Presented challenge using HTTP-01 challenge mechanism

I figured it out. The issue seems to be that IngressRoute (which is used in traefik) does not work with cert mananger. I just deployed this file, then the http check was confirmed, then I could delete it again. Hope this helps others with same issue.
Seems cert manager does support IngressRoute which is in Traefik? I opened the issue here so let's see what they say: https://github.com/jetstack/cert-manager/issues/3325
kubectl apply -f example-ingress.yml
File:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
namespace: example
name: example-ingress
annotations:
kubernetes.io/ingress.class: "traefik"
cert-manager.io/issuer: example-issuer-staging
spec:
rules:
- host: staging.example.com
http:
paths:
- path: /
backend:
serviceName: example-website
servicePort: 80
tls:
- hosts:
- staging.example.com
secretName: staging-example-com-tls