Force renewing of certificates with cert-manager

if you need to force the renewal of your certificates with cert-manager (under kubernetes), (possibly due to the 2020.02.29 CAA Rechecking Bug ), then you can delete the certificate in your kubernetes cluster and cert-manager will get a new one (tested with cert-manager 0.9.1).

The certificate will be in a kubernetes secret. Take care not to remove the wrong secret: there can be multiple secrets of the same name in different namespaces! Before deleting the secret you can have a look at it with kubectl get secret name_of_your_secret -o yaml. It should have an entry named tls.crt which is the certificate that was issued to you by letsencrypt.

If someone could report here on how one can display/decode the cert contained in the value of the tls.crt key, that would be extra useful!

4 Likes

You can try to run openssl x599 -noout -text -in $your certificate path to decode.

Appendix:
noout - Don’t output the certificates file content (the encoded content)
text - output in text format (in your console)

Thank you

2 Likes

To add to the previous answer you can get the details using the followng:

YOUR_NAMESPACE=<your namespace>
kubectl get secrets --namespace ${YOUR_NAMESPACE} -o json | jq -r '.items[].data | select(has("tls.crt")) | ."tls.crt"' | base64 -d | openssl x509 -noout -text

EDIT: note it is openssl x509 not x599

4 Likes

Thanks a lot for the code BellyBuster!

The code snippet you suggest will retrieve all secrets, however in the end only one certificate will be output… I suggest to instead to qualify the secret to retrive with both the namespace and the secret name, then you know what you’re getting:

kubectl get secrets -n $NAMESPACE $NAME_OF_SECRET -o json | jq -r '.data."tls.crt"' | base64 -d | openssl x509 -noout -text
1 Like

This didn’t work in my case - I ended up going with setting the renewBefore field in the certificate spec to a value that would cause a certificate renewal:

kubectl -n <namespace> patch certificate example-certificate --type=merge -p '{"spec":{"renewBefore":"2159h00m00s"}}'

Just be sure to remove it after the cert renews, otherwise you’ll rate limit yourself.

kubectl -n <namespace> patch certificate example-certificate --type=json -p='[{"op": "remove", "path": "/spec/renewBefore"}]'
2 Likes

@lucasreed
This might be an option for you.

Funny enough, bambash and I work together. I’ve tried this as well without luck because of the rate-limiting.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.