AWS EKS Letsencrypt - ACME certificates expired and unable to renew automatically

Help
1

Hello Team,

I have installed the cert-manager on my AWS EKS cluster and there was a certificate that setup, the certificate expired on July 2nd and i am not able to renew the certificate.

My domain is: sandbox.thryv.com

Cert-manager was installed using Helm install.

Steps Taken:

  1. Cleaned up all the resources from the previous deployment of cert-manager as mentioned in this document. Helm - cert-manager Documentation

  2. installed the cert-manager again, and clusterissuer was configured using a yaml file.

  3. Added the annotations to the ingress and modified the placeholders accordingly.

  4. Applied the changes using the helm upgrade command

===================================================================

$ kubectl get certificate
NAME               READY   SECRET             AGE
letsencrypt-prod   False   letsencrypt-prod   28m

bhosas01@YM712R34D2 testing-dev2 % kubectl describe certificate/letsencrypt-prod
Name:         letsencrypt-prod
Namespace:    dev
Labels:       app.kubernetes.io/instance=my-retool
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=retool
              helm.sh/chart=retool-4.11.9
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2023-07-05T21:40:49Z
  Generation:          1
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
          .:
          k:{"type":"Ready"}:
            .:
            f:lastTransitionTime:
            f:message:
            f:observedGeneration:
            f:reason:
            f:status:
            f:type:
    Manager:      cert-manager-certificates-readiness
    Operation:    Update
    Subresource:  status
    Time:         2023-07-05T21:40:49Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        f:conditions:
          k:{"type":"Issuing"}:
            .:
            f:lastTransitionTime:
            f:message:
            f:observedGeneration:
            f:reason:
            f:status:
            f:type:
    Manager:      cert-manager-certificates-trigger
    Operation:    Update
    Subresource:  status
    Time:         2023-07-05T21:40:49Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:labels:
          .:
          f:app.kubernetes.io/instance:
          f:app.kubernetes.io/managed-by:
          f:app.kubernetes.io/name:
          f:helm.sh/chart:
        f:ownerReferences:
          .:
          k:{"uid":"c894ffb0-c6f1-4d18-9e22-c23d41dc9a85"}:
      f:spec:
        .:
        f:dnsNames:
        f:issuerRef:
          .:
          f:group:
          f:kind:
          f:name:
        f:secretName:
        f:usages:
    Manager:      cert-manager-ingress-shim
    Operation:    Update
    Time:         2023-07-05T21:40:49Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        f:nextPrivateKeySecretName:
    Manager:      cert-manager-certificates-key-manager
    Operation:    Update
    Subresource:  status
    Time:         2023-07-05T21:40:50Z
  Owner References:
    API Version:           networking.k8s.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  my-retool
    UID:                   c894ffb0-c6f1-4d18-9e22-c23d41dc9a85
  Resource Version:        53662423
  UID:                     ccf414f9-698e-47d0-ab1f-b2d5b1681c0f
Spec:
  Dns Names:
    serviceportal-dev.sandbox.thryv.com
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       ClusterIssuer
    Name:       letsencrypt-prod
  Secret Name:  letsencrypt-prod
  Usages:
    digital signature
    key encipherment
Status:
  Conditions:
    Last Transition Time:        2023-07-05T21:40:49Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      False
    Type:                        Ready
    Last Transition Time:        2023-07-05T21:40:49Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      True
    Type:                        Issuing
  Next Private Key Secret Name:  letsencrypt-prod-qb8wq
Events:
  Type    Reason     Age   From                                       Message
  ----    ------     ----  ----                                       -------
  Normal  Issuing    29m   cert-manager-certificates-trigger          Issuing certificate as Secret does not exist
  Normal  Generated  29m   cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "letsencrypt-prod-qb8wq"
  Normal  Requested  29m   cert-manager-certificates-request-manager  Created new CertificateRequest resource "letsencrypt-prod-5q57l"

NAMESPACE       NAME                                 TYPE                 DATA   AGE
cert-manager    cert-manager-webhook-ca              Opaque               3      31m
cert-manager    **letsencrypt-prod**                     Opaque               1      29m
cert-manager    sh.helm.release.v1.cert-manager.v1   helm.sh/release.v1   1      31m
dev             **letsencrypt-prod-qb8wq**               Opaque               1      31m

Can anyone please help here, on how to renew the certificate ? We are not able to get the HTTPS working for our application.

2

I'm not familiar with cert-manager, so this might not be much help, but is this intended to be a publicly visible site? The name sandbox.thryv.com doesn't currently resolve to anything. If it's intended to be only privately accessible, it might be that the client you're using is trying to use a DNS-01 challenge that just needs the public to get to the DNS server, rather than needing to resolve the name itself, but if so then I'm not seeing in what you're posting any logging describing what's going wrong in that process.

6 Likes
3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.