Force renewing of certificates with cert-manager

tpo2 · March 3, 2020, 10:08pm

if you need to force the renewal of your certificates with cert-manager (under kubernetes), (possibly due to the 2020.02.29 CAA Rechecking Bug ), then you can delete the certificate in your kubernetes cluster and cert-manager will get a new one (tested with cert-manager 0.9.1).

The certificate will be in a kubernetes secret. Take care not to remove the wrong secret: there can be multiple secrets of the same name in different namespaces! Before deleting the secret you can have a look at it with kubectl get secret name_of_your_secret -o yaml. It should have an entry named tls.crt which is the certificate that was issued to you by letsencrypt.

If someone could report here on how one can display/decode the cert contained in the value of the tls.crt key, that would be extra useful!

stevenzhu · March 3, 2020, 10:54pm

You can try to run openssl x599 -noout -text -in $your certificate path to decode.

Appendix:
noout - Don’t output the certificates file content (the encoded content)
text - output in text format (in your console)

Thank you

BellyBuster · March 3, 2020, 11:11pm

To add to the previous answer you can get the details using the followng:

YOUR_NAMESPACE=<your namespace>
kubectl get secrets --namespace ${YOUR_NAMESPACE} -o json | jq -r '.items[].data | select(has("tls.crt")) | ."tls.crt"' | base64 -d | openssl x509 -noout -text

EDIT: note it is openssl x509 not x599

tpo2 · March 4, 2020, 9:58am

Thanks a lot for the code BellyBuster!

The code snippet you suggest will retrieve all secrets, however in the end only one certificate will be output… I suggest to instead to qualify the secret to retrive with both the namespace and the secret name, then you know what you’re getting:

kubectl get secrets -n $NAMESPACE $NAME_OF_SECRET -o json | jq -r '.data."tls.crt"' | base64 -d | openssl x509 -noout -text

bambash · March 4, 2020, 3:26pm

This didn’t work in my case - I ended up going with setting the renewBefore field in the certificate spec to a value that would cause a certificate renewal:

kubectl -n <namespace> patch certificate example-certificate --type=merge -p '{"spec":{"renewBefore":"2159h00m00s"}}'

Just be sure to remove it after the cert renews, otherwise you’ll rate limit yourself.

kubectl -n <namespace> patch certificate example-certificate --type=json -p='[{"op": "remove", "path": "/spec/renewBefore"}]'

Phil · March 4, 2020, 4:08pm

@lucasreed
This might be an option for you.

lucasreed · March 4, 2020, 4:45pm

Funny enough, bambash and I work together. I’ve tried this as well without luck because of the rate-limiting.

system · April 3, 2020, 4:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certificate.yaml not creating a cert in the tls secret Help	10	1857	March 16, 2023
Certificate failed to renew Help	1	1658	August 14, 2021
Certificate renewal using cert-manager on kubernetes cluster Help	3	4057	January 22, 2020
Certificate renew with Kubernetes cert-manager Help	2	8262	April 3, 2020
Cert-manager and let's encrypt Help	2	816	February 11, 2022

Force renewing of certificates with cert-manager

Related topics