search

tnozicka / openshift-acme

ACME Controller for OpenShift and Kubernetes Cluster. (Supports e.g. Let's Encrypt)
Apache License 2.0
319 stars 116 forks source link

Failure to apply certificate on web console #154

Closed darren-oxford closed 2 years ago

darren-oxford commented 3 years ago

What happened: Constant re-issue of certificates until rate limit exceeded for console route. Something seems to cause the CertKey to appear to be missing causing a new certificate order to be attempted.

What you expected to happen: Certificate to be issued once and applied to route.

Environment:

Example Log I0317 22:15:08.917432 1 route.go:496] Started syncing Route "openshift-console/console" I0317 22:15:08.917633 1 route.go:563] Route "openshift-console/console" needs new certificate: Route is missing CertKey I0317 22:15:08.917947 1 route.go:607] Using ACME client with DirectoryURL "https://acme-v02.api.letsencrypt.org/directory" I0317 22:15:10.723922 1 route.go:650] Route "openshift-console/console": Order "https://acme-v02.api.letsencrypt.org/acme/order/115489376/8510418XXX" is in "ready" state I0317 22:15:10.723955 1 route.go:1070] Route "openshift-console/console": Order "https://acme-v02.api.letsencrypt.org/acme/order/115489376/8510418XXX" successfully validated I0317 22:15:16.007692 1 route.go:1092] Route "openshift-console/console": Order "https://acme-v02.api.letsencrypt.org/acme/order/115489376/8510418XXX": Certificate available at "https://acme-v02.api.letsencrypt.org/acme/cert/04bde7a3b76bf1cfecbc9ff87c627bfdd176" I0317 22:15:16.029427 1 route.go:1276] Cleaning up temporary exposer for Route openshift-console/console (UID=71e8f2da-aaa0-4773-9a6c-dc3bc5ca90c4) I0317 22:15:16.029837 1 route.go:226] Updating Route openshift-console/console RV=2585441->2585490 UID=71e8f2da-aaa0-4773-9a6c-dc3bc5ca90c4->71e8f2da-aaa0-4773-9a6c-dc3bc5ca90c4 I0317 22:15:16.039382 1 route.go:498] Finished syncing Route "openshift-console/console" I0317 22:15:16.039431 1 route.go:496] Started syncing Route "openshift-console/console" I0317 22:15:16.039801 1 route.go:559] Route "openshift-console/console" doesn't need new certificate. I0317 22:15:16.040106 1 route.go:498] Finished syncing Route "openshift-console/console" I0317 22:15:16.229268 1 route.go:226] Updating Route openshift-console/console RV=2585490->2585491 UID=71e8f2da-aaa0-4773-9a6c-dc3bc5ca90c4->71e8f2da-aaa0-4773-9a6c-dc3bc5ca90c4 I0317 22:15:16.229302 1 route.go:496] Started syncing Route "openshift-console/console" I0317 22:15:16.229465 1 route.go:563] Route "openshift-console/console" needs new certificate: Route is missing CertKey I0317 22:15:16.229789 1 route.go:607] Using ACME client with DirectoryURL "https://acme-v02.api.letsencrypt.org/directory" I0317 22:16:04.288012 1 reflector.go:432] k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108: Watch close - *v1.LimitRange total 0 items received I0317 22:16:16.229690 1 route.go:498] Finished syncing Route "openshift-console/console" E0317 22:16:16.229768 1 route.go:1308] openshift-console/console failed with : 429 urn:ietf:params:acme:error:rateLimited: Error creating new order :: too many certificates already issued for exact set of domains: see https://letsencrypt.org/docs/rate-limits/

@tnozicka

eehmann commented 3 years ago

Hey Darren,

my current guess: The Operator which manages the Openshift Web-Console is causing this problem. As soon as the Let's Encrypt Certificate is added to the Route, the Operator removes it again.

I didn't find a solution yet, but maybe this information can help you.

openshift-bot commented 3 years ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot commented 3 years ago

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

openshift-bot commented 2 years ago

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-ci[bot] commented 2 years ago

@openshift-bot: Closing this issue.

In response to [this](https://github.com/tnozicka/openshift-acme/issues/154#issuecomment-933024202): >Rotten issues close after 30d of inactivity. > >Reopen the issue by commenting `/reopen`. >Mark the issue as fresh by commenting `/remove-lifecycle rotten`. >Exclude this issue from closing again by commenting `/lifecycle frozen`. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.