[virtualization][kubernetes_administration] Troubleshoot Let-s Encrypt issues

LukeShortCloud / rootpages

Root Pages is a collection of easy-to-reference tutorials and guides primarily for Linux and other UNIX-like systems.

Other

56 stars 6 forks source link

[virtualization][kubernetes_administration] Troubleshoot Let-s Encrypt issues #485

Open LukeShortCloud opened 3 years ago

LukeShortCloud commented 3 years ago

https://cert-manager.io/docs/faq/acme/

LukeShortCloud commented 3 years ago

If the certificate Secret already exists, delete it force it to be re-created. It will be re-created instantly.

LukeShortCloud commented 3 years ago

Error checking the Order related to a TLS secret for the certificate-to-be-created:

$ kubectl describe order <SECRET_NAME>-<RANDOM_UUID>
Failed to determine a valid solver configuration for the set of domains on the Order: both ingress name and ingress class overrides specified - only one may be specified at a time

Fix:

Only one ingress.annotations.acme.cert-manager.io/http01* annotation can be used. Typically, the usage of the variable should be one of these:

---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  annotations:
    cert-manager.io/cluster-issuer: "clusterissuer-letsencrypt-staging"
    acme.cert-manager.io/http01-edit-in-place: "true"
    cert-manager.io/issue-temporary-certificate: "true"

---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  annotations:
    cert-manager.io/cluster-issuer: "clusterissuer-letsencrypt-staging"
    acme.cert-manager.io/http01-ingress-class: nginx

Source: https://github.com/jetstack/cert-manager/issues/2545

LukeShortCloud commented 3 years ago

Error:

$ kubectl describe cm-acme-http-solver-<RANDOM_UUID>
<OMITTED>
Events:
  Type     Reason    Age   From                      Message
  ----     ------    ----  ----                      -------
  Warning  Rejected  72s   nginx-ingress-controller  All hosts are taken by other resources
  Warning  Rejected  72s   nginx-ingress-controller  All hosts are taken by other resources
  Warning  Rejected  72s   nginx-ingress-controller  All hosts are taken by other resources

Fix:

The Ingress Controller does not support more than one Ingress object per domain name. Set the annotations that tell cert-manager to instead modify Ingress object that the annotation itself is in. This will add a new path that includes a token that ACME / Let's Encrypt will look for to verify you own the domain.

---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  annotations:
    cert-manager.io/cluster-issuer: "clusterissuer-letsencrypt-staging"
    acme.cert-manager.io/http01-edit-in-place: "true"
    cert-manager.io/issue-temporary-certificate: "true"

Source: https://cert-manager.io/docs/faq/acme/

LukeShortCloud commented 3 years ago

Check all of the related resources for cert-manager to ensure that everything is is ready/approved/valid/etc.

$ kubectl get ingress,challenges,order,certificaterequests,certificates,secrets
NAME                                                 CLASS   HOSTS                ADDRESS   PORTS     AGE
ingress.networking.k8s.io/ing-foorbar-example-com    nginx   foobar.example.com             80, 443   18m

NAME                                                                        STATE   AGE
order.acme.cert-manager.io/secret-tls-foobar-example-com-bhz96-3076021480   valid   18m

NAME                                                                     APPROVED   DENIED   READY   ISSUER                                 REQUESTOR                                         AGE
certificaterequest.cert-manager.io/secret-tls-foobar-example-com-bhz96   True                True    clusterissuer-letsencrypt-production   system:serviceaccount:cert-manager:cert-manager   18m

NAME                                                        READY   SECRET                          AGE
certificate.cert-manager.io/secret-tls-foobar-example-com   True    secret-tls-foobar-example-com   18m

NAME                                   TYPE                                  DATA   AGE
secret/default-token-5hxxm             kubernetes.io/service-account-token   3      4d20h
secret/secret-tls-foobar-example-com   kubernetes.io/tls                     2      18m

Use kubectl describe on any resources that are still pending.

LukeShortCloud commented 2 years ago

These are all of the APIs installed from cert-manager:

$ kubectl api-resources | grep cert-manager 
challenges                                     acme.cert-manager.io/v1                true         Challenge
orders                                         acme.cert-manager.io/v1                true         Order
certificaterequests               cr,crs       cert-manager.io/v1                     true         CertificateRequest
certificates                      cert,certs   cert-manager.io/v1                     true         Certificate
clusterissuers                                 cert-manager.io/v1                     false        ClusterIssuer
issuers                                        cert-manager.io/v1                     true         Issuer