ClusterIssuers doesn't start

[guidtz]

Hello @rsoika do you have an idea why my ClusterIssuers doesn't appear to be ready ?

$ kubectl get clusterissuer
NAME                  READY   AGE
letsencrypt-prod              11m
letsencrypt-staging           11m

I use cert-manager 1.2.0 and nginx-controler 0.44

I have the same installation in another kubernetes cluster and It's Works, the only difference is that this cluster is with containerd and cri-o and not with Docker (https://www.aukfood.fr/kubernetes-sans-docker/)

$ kubectl describe clusterissuer/letsencrypt-prod
Name:         letsencrypt-prod
Namespace:    
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         ClusterIssuer
Metadata:
  Creation Timestamp:  2021-02-20T07:36:23Z
  Generation:          1
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:acme:
          .:
          f:email:
          f:privateKeySecretRef:
            .:
            f:name:
          f:server:
          f:solvers:
    Manager:         kubectl-client-side-apply
    Operation:       Update
    Time:            2021-02-20T07:36:23Z
  Resource Version:  933291
  UID:               dd686ca9-a52f-4e55-8366-2caba67e2238
Spec:
  Acme:
    Email:            email@domain.com
    Preferred Chain:  
    Private Key Secret Ref:
      Name:  letsencrypt-prod
    Server:  https://acme-v02.api.letsencrypt.org/directory
    Solvers:
      http01:
        Ingress:
          Class:  nginx
Events:           <none>

If you have an idea :)

[rsoika]

Hi, I am sorry, I fear I have no usefully tips for you. The only guess I would make is, that the problem is related to your network configuration. Did you see any useful messages in the POD log files?

[rsoika]

I now also upgrated to cert-manager 1.2.0 and nginx-controler 0.44. I see no issues.

Did you take care about the first starting the cert-manager (which will take some time)

You can control the startup with:

$ kubectl get pods --namespace cert-manager
NAME                                      READY   STATUS    RESTARTS   AGE
cert-manager-5597cff495-z454k             1/1     Running   0          6h23m
cert-manager-cainjector-bd5f9c764-vxlbf   1/1     Running   0          6h23m
cert-manager-webhook-5f57f59fbc-cpgp2     1/1     Running   0          6h23m

After that you should start the deployment of the nginx-contoller

[guidtz]

@rsoika Yes cert-manager seems to be ok :

$ kubectl get pods --namespace cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-6588898cb4-zllrb              1/1     Running   0          8h
cert-manager-cainjector-7bcbdbd99f-zg8qk   1/1     Running   0          8h
cert-manager-webhook-5fd9f9dd86-vtznm      1/1     Running   0          8h

I opened an issue in cert-manager github : https://github.com/jetstack/cert-manager/issues/3688

[rsoika]

ok, that's good to get help from the cert-manager comunity.

The YOUR_CLUSTER_IP in your 020-service.yaml file - it it a public IP? It should be the IP from your master node.

[guidtz]

@rsoika It seems to be a problem with weavnet, I retry my hybrid cluster (containerd and cri-o) with calico and now clusterissuers are ok

# kubectl get clusterissuers
NAME                  READY   AGE
letsencrypt-prod      True    33s
letsencrypt-staging   True    32s

[rsoika]

Ah that's interesting. I am always using flannel network

[guidtz]

@rsoika yes flannel or callico seems to be the better choice with k8s. I'll close this issue thanks for ou're help