Open LukeShortCloud opened 3 years ago
If the certificate Secret already exists, delete it force it to be re-created. It will be re-created instantly.
Error checking the Order related to a TLS secret for the certificate-to-be-created:
$ kubectl describe order <SECRET_NAME>-<RANDOM_UUID>
Failed to determine a valid solver configuration for the set of domains on the Order: both ingress name and ingress class overrides specified - only one may be specified at a time
Fix:
ingress.annotations.acme.cert-manager.io/http01*
annotation can be used. Typically, the usage of the variable should be one of these:---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
annotations:
cert-manager.io/cluster-issuer: "clusterissuer-letsencrypt-staging"
acme.cert-manager.io/http01-edit-in-place: "true"
cert-manager.io/issue-temporary-certificate: "true"
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
annotations:
cert-manager.io/cluster-issuer: "clusterissuer-letsencrypt-staging"
acme.cert-manager.io/http01-ingress-class: nginx
Source: https://github.com/jetstack/cert-manager/issues/2545
Error:
$ kubectl describe cm-acme-http-solver-<RANDOM_UUID>
<OMITTED>
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning Rejected 72s nginx-ingress-controller All hosts are taken by other resources
Warning Rejected 72s nginx-ingress-controller All hosts are taken by other resources
Warning Rejected 72s nginx-ingress-controller All hosts are taken by other resources
Fix:
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
annotations:
cert-manager.io/cluster-issuer: "clusterissuer-letsencrypt-staging"
acme.cert-manager.io/http01-edit-in-place: "true"
cert-manager.io/issue-temporary-certificate: "true"
Check all of the related resources for cert-manager to ensure that everything is is ready/approved/valid/etc.
$ kubectl get ingress,challenges,order,certificaterequests,certificates,secrets
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress.networking.k8s.io/ing-foorbar-example-com nginx foobar.example.com 80, 443 18m
NAME STATE AGE
order.acme.cert-manager.io/secret-tls-foobar-example-com-bhz96-3076021480 valid 18m
NAME APPROVED DENIED READY ISSUER REQUESTOR AGE
certificaterequest.cert-manager.io/secret-tls-foobar-example-com-bhz96 True True clusterissuer-letsencrypt-production system:serviceaccount:cert-manager:cert-manager 18m
NAME READY SECRET AGE
certificate.cert-manager.io/secret-tls-foobar-example-com True secret-tls-foobar-example-com 18m
NAME TYPE DATA AGE
secret/default-token-5hxxm kubernetes.io/service-account-token 3 4d20h
secret/secret-tls-foobar-example-com kubernetes.io/tls 2 18m
Use kubectl describe
on any resources that are still pending.
These are all of the APIs installed from cert-manager:
$ kubectl api-resources | grep cert-manager
challenges acme.cert-manager.io/v1 true Challenge
orders acme.cert-manager.io/v1 true Order
certificaterequests cr,crs cert-manager.io/v1 true CertificateRequest
certificates cert,certs cert-manager.io/v1 true Certificate
clusterissuers cert-manager.io/v1 false ClusterIssuer
issuers cert-manager.io/v1 true Issuer
https://cert-manager.io/docs/faq/acme/