Kubernetes Cert Manager: Order stuck at pending

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pintarnya.com

I have these yaml:

apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-api-token-secret
type: Opaque
stringData:
  api-token: <API_TOKEN>

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: "<EMAIL>"
    privateKeySecretRef:
      name: letsencrypt-account-key-staging
    solvers:
      - selector: {}
        dns01:
          cloudflare:
            email: <EMAIL>
            apiKeySecretRef:
              name: cloudflare-api-key-secret
              key: api-key

It produced this output:

kubectl describe certificaterequest

Screen Shot 2023-10-25 at 21.41.38
Screen Shot 2023-10-25 at 21.41.382676×470 68.6 KB

My hosting provider, if applicable, is: GKE

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

I'm using envoy gateway as gateway controller, but i think bcs of it using dns challenge that doesn't really related.

1 Like
2

kubectl describe certificate

Screen Shot 2023-10-25 at 21.45.44
Screen Shot 2023-10-25 at 21.45.442724×238 29 KB

3

I don't have personal experience that can help. But, your combination is unusual and complex. While someone here may be able to help, you may find better luck at a different forum like for cert-manager, Cloudflare or perhaps K8s

Also, could you possibly use a Cloudflare Origin CA Cert instead of one from Let's Encrypt? You proxy your domain at CF so are using its CDN. Their Origin CA cert allows HTTPS between its CDN edge and your origin server.

Your setup:
K8s
cert-manager
a domain name proxied at Cloudflare
using DNS Challenge involving some sort of gateway

3 Likes
4

Yeah, it's a bit complex. Basically what traffic we gonna do is like this

client -> cloudflare -> gcp load balancer (external endpoint) -> kubernetes

so we need ssl on kubernetes just so gcp load balancer can connect to our kubernetes.

But yeah, i'll try to to just use cloudflare origin CA. Thanks!

1 Like
5

Oh, I don't think that will work then. It's only useful for CloudflareCDN->Origin Server

The cert-manager, or Kubernetes, forums might be best to work through this design issue. Still, someone else here may have better insight.

4 Likes
6

after I dig deeper it turns out i have a wrong set up in the yaml. I used cloudflare-api-token-secret as a secret name but in the refer i write it as cloudflare-api-key-secret

and after resolving that i found some issue that it should be used apiTokenSecretRef rather apiKeySecretRef

so the complete yaml should be like this

apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-api-token-secret
type: Opaque
stringData:
  api-token: <API_TOKEN>

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: "<EMAIL>"
    privateKeySecretRef:
      name: letsencrypt-account-key-staging
    solvers:
      - selector: {}
        dns01:
          cloudflare:
            email: <EMAIL>
            apiTokenSecretRef:
              name: cloudflare-api-token-secret
              key: api-key

I don't know why the example from cert manager was confusing like that. Thanks for helping!

4 Likes
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.