Closed dimw closed 1 month ago
Looks like I found the issue. Apparently, the front-proxy-client
certificate, which seems to be used to authenticate against the K8s API, has expired and was not auto-renewed on one of the nodes of the Microk8s cluster (although a similar issue occurs with Kubernetes in general, as seen in this Stack Overflow answer: https://stackoverflow.com/a/72111095).
To diagnose the issue, I used the following command:
$ microk8s refresh-certs -c
The CA certificate will expire in 2828 days.
The server certificate will expire in 315 days.
The front proxy client certificate will expire in -50 days.
Refreshing the expired certificate helped to resolve the flooded logs of cert-manager-webhook-hetzner:
$ microk8s refresh-certs --cert front-proxy-client.crt
After resolving, I was able to see proper logs in cert-manager-webhook-hetzner and the wildcard certificate was generated successfully:
Certificate fetched from issuer successfully
It would be great to have a more verbose log in cert-manager for easier debugging. However, the root cause of the issue was not related to this project.
I'm migrating from mecodia/cert-manager-webhook-hetzner to this project on a Microk8s cluster. After removing the old certificate manager and configuring the new one as described in the documentation, I spotted that the
CertificateRequest
for the wildcard certificate stuck in the pending state having the following message:Digging deeper, I observed that cert-manager-webhook-hetzner is fooding the logs with "Unable to authenticate the request" errors producing ~10 of these per second:
It feels like an old certificate stuck somewhere in K8s which is causing that. Unfortunately, I'm not able to find the place where the respective error message is created as there is no authentication.go in the project. Maybe it's rel
I already tried to reinstall the cert-manager, cert-manager-webhook-hetzner as well as removed all certificates I could find without any success.
Do you have any ideas why the error logs are happening? Is it related to the endless "pending" state of the certificate?