Existing issued Secret is not up to date for spec

vyom-soft · May 30, 2022, 2:42pm

Hello,
I am seeing this error msg. Could you please advice where I went wrong.

Spec:
Dns Names:
hello-world.info
www.example.com
Issuer Ref:
Kind: ClusterIssuer
Name: training-prod-ca
Secret Name: training-prod-ca
Status:
Conditions:
Last Transition Time: 2022-05-30T11:56:46Z
Message: Existing issued Secret is not up to date for spec: [spec.dnsNames]
Observed Generation: 1
Reason: SecretMismatch
Status: False
Type: Ready
Last Transition Time: 2022-05-30T11:56:46Z
Message: Issuing certificate as Secret was previously issued by Issuer.cert-manager.io/
Observed Generation: 1
Reason: IncorrectIssuer
Status: True
Type: Issuing
Next Private Key Secret Name: training-prod-ca-58vkq
Not After: 2027-05-24T18:22:32Z
Not Before: 2022-05-25T18:22:32Z
Renewal Time: 2025-09-23T10:22:32Z

Best Regards

MikeMcQ · May 30, 2022, 3:00pm

Welcome @vyom-soft

That looks like a problem with cert-manager. Have you followed their troubleshooting process?

rg305 · May 30, 2022, 8:28pm

Did you really include "www.example.com" ?

vyom-soft · May 31, 2022, 7:38am

Thank you for seeing it. I removed, example.com

Environment details::

Kubernetes version: 1.22.0
Cloud-provider/provisioner: k8s BareMetal, KubeSpray, MetalLB
cert-manager version: 1.8.0
lets-encrypt : https://acme-staging-v02.api.letsencrypt.org/directory
Install method: helm/static manifests

Here is the fresh log.

Spec:
Dns Names:
hello-world.info
Issuer Ref:
Kind: ClusterIssuer
Name: my-prod-ca
Secret Name: my-prod-ca
Status:
Conditions:
Last Transition Time: 2022-05-31T07:34:26Z
Message: Existing issued Secret is not up to date for spec: [spec.dnsNames]
Observed Generation: 1
Reason: SecretMismatch
Status: False
Type: Ready
Last Transition Time: 2022-05-31T07:34:27Z
Message: Issuing certificate as Secret was previously issued by Issuer.cert-manager.io/
Observed Generation: 1
Reason: IncorrectIssuer
Status: True
Type: Issuing
Next Private Key Secret Name: my-prod-ca-5vprj
Not After: 2027-05-24T18:22:32Z
Not Before: 2022-05-25T18:22:32Z
Renewal Time: 2025-09-23T10:22:32Z
Events:
Type Reason Age From Message

Normal Issuing 32s cert-manager-certificates-trigger Issuing certificate as Secret was previously issued by Issuer.cert-manager.io/
Normal Reused 32s cert-manager-certificates-key-manager Reusing private key stored in existing Secret resource "my-prod-ca"
Normal Requested 32s cert-manager-certificates-request-manager Created new CertificateRequest resource "my-prod-ca-9tx6x"

vyom-soft · May 31, 2022, 7:45am

Hello Mike,

Thank you for seeing it.
I did go through the troubleshooting guide

$kubectl describe certificaterequest my-prod-ca-9tx6x -n cert-manager

Status:
Conditions:
Last Transition Time: 2022-05-31T07:34:27Z
Message: Certificate request has been approved by cert-manager.io
Reason: cert-manager.io
Status: True
Type: Approved
Last Transition Time: 2022-05-31T07:34:27Z
Message: Waiting on certificate issuance from order cert-manager/my-prod-ca-9tx6x-216457662: "pending"
Reason: Pending
Status: False
Type: Ready
Events:
Type Reason Age From Message

Normal cert-manager.io 5m50s cert-manager-certificaterequests-approver Certificate request has been approved by cert-manager.io
Normal OrderCreated 5m50s cert-manager-certificaterequests-issuer-acme Created Order resource cert-manager/kvib-prod-ca-9tx6x-216457662
Normal OrderPending 5m50s cert-manager-certificaterequests-issuer-acme Waiting on certificate issuance from order cert-manager/my-prod-ca-9tx6x-216457662: ""

kubectl get challenges -n cert-manager -o wide
NAME STATE DOMAIN REASON AGE
my-prod-ca-ggk7j-216457662-1544531956 pending hello-world.info Waiting for HTTP-01 challenge propagation: did not get expected response when querying endpoint, expected "yhwVXOSNllPT9doj0mQLcj-CbfUZA84tSBAmduZQhaU.kX63bjdEt7luokUfr6xQeQYmqAiAYRlzy67kTiOkUIY" but got: <!doctype html><html lan... (truncated) 21m

kubectl describe order my-prod-ca-ggk7j-216457662 -n cert-manager
Status:
Authorizations:
Challenges:
Token: yhwVXOSNllPT9doj0mQLcj-CbfUZA84tSBAmduZQhaU
Type: http-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2582747384/YZMLCQ
Token: yhwVXOSNllPT9doj0mQLcj-CbfUZA84tSBAmduZQhaU
Type: dns-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2582747384/gYQJHw
Token: yhwVXOSNllPT9doj0mQLcj-CbfUZA84tSBAmduZQhaU
Type: tls-alpn-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2582747384/p9gsrQ
Identifier: hello-world.info
Initial State: pending
URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2582747384
Wildcard: false
Finalize URL: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/55766324/2720962394
State: pending
URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/55766324/2720962394
Events:
Type Reason Age From Message

Normal Created 39m cert-manager-orders Created Challenge resource "my-prod-ca-ggk7j-216457662-1544531956" for domain "hello-world.info"

From the Authorization URL
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Method not allowed",
"status": 405
}

MikeMcQ · May 31, 2022, 12:38pm

Do you own hello-world.info ?

If you do your server is not properly responding to acme challenge requests. Instead, it is sending out some sort of ad block page from a parking site.

curl -iL hello-world.info/.well-known/acme-challenge/Test123
HTTP/1.1 302 Found
Date: Tue, 31 May 2022 12:35:42 GMT
Server: Apache/2.4.38 (Debian)
Set-Cookie: __tad=1654000542.8699812; expires=Fri, 28-May-2032 12:35:42 GMT; Max-Age=315360000
Location: http://ww25.hello-world.info/.well-known/acme-challenge/Test123?subid1=20220531-2235-42bf-956f-edc00f0d0c1c
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

HTTP/1.1 200 OK
Server: openresty
Date: Tue, 31 May 2022 12:35:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: parking_session=6ad3e406-4452-c6fe-910b-1f5c5c32fabc; expires=Tue, 31-May-2022 12:50:42 GMT; Max-Age=900; path=/; HttpOnly
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_I9ahn5cTX+vP0U5yYg58Ft1SF/UfSkE3a1myTW8iV4/sa6wmz56B/j4WaawGwQ1Jgg7AgQfQTOTwKNqvLj2FoQ==
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache

<!doctype html><html lang="en" data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_I9ahn5cTX+vP0U5yYg58Ft1SF/UfSkE3a1myTW8iV4/sa6wmz56B/j4WaawGwQ1Jgg7AgQfQTOTwKNqvLj2FoQ=="><head><meta char

vyom-soft · May 31, 2022, 1:58pm

Thank you !
No, I do not own it.

MikeMcQ · May 31, 2022, 2:37pm

You cannot get a cert for a domain name you do not control

vyom-soft · June 7, 2022, 8:03am

This can be closed.

Osiris · June 7, 2022, 8:45am

We usually don't close threads unless there is an issue with it (spam/flamewars/trolling). We'd rather mark a specific post as "Solution", which should also be possible for the person starting the thread.

system · July 7, 2022, 8:45am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.