Azure AKS: Certificate created but status is blank

Help
1

Hello,
I have installed cert-manager 1.12.1 on my Kubernetes cluster, but since then certificate is created bu status is blank.

  • Kubernetes version: 1.24.9
  • Cloud-provider/provisioner : Azure (AKS)
  • cert-manager version: 1.12.0

When I ran "kubectl describe certificate" I got:

"Name: devtest-tls
Namespace: devtest
Labels: app.kubernetes.io/managed-by=Helm
Annotations:
API Version: cert-manager.io/v1
Kind: Certificate
Metadata:
Creation Timestamp: 2023-06-05T19:05:29Z
Generation: 1
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.:
f:app.kubernetes.io/managed-by:
f:ownerReferences:
.:
k:{"uid":"e8c9e94e-2cb7-4f89-a926-889164249428"}:
f:spec:
.:
f:dnsNames:
f:issuerRef:
.:
f:group:
f:kind:
f:name:
f:secretName:
f:usages:
Manager: cert-manager-ingress-shim
Operation: Update
Time: 2023-06-05T19:05:29Z
Owner References:
API Version: networking.k8s.io/v1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: erpdeploymentdevtest-ingress
UID: e8c9e94e-2cb7-4f89-a926-889164249428
Resource Version: 359799755
UID: b4015ad3-e321-4513-bdca-f18c8e40a0ac
Spec:
Dns Names:
verpidevtest.northeurope.cloudapp.azure.com
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt-staging
Secret Name: devtest-tls
Usages:
digital signature
key encipherment
Events: "

2

Hello @penko, welcome to the Let's Encrypt community. :slightly_smiling_face:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

1 Like
3

When was the "certificate created"?

image
image849×234 47.6 KB

2 Likes
4

You won't find it on crt.sh if only "letsencrypt-staging" has been configured for this hostname lately.

OP should try to find any response from the ACME server in their logs. If they can't find that, they should complain at Kubernetes or cert-manager to make that more easily.

4 Likes
5

What do you see when you describe the certificate secret itself?

kubectl describe secret devtest-tls -n devtest

You could also inspect the actual certificate and its private key directly:

kubectl get secret devtest-tls -n devtest -o yaml

The cert can be decoded here:

https://redkestrel.co.uk/products/decoder/

3 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.