Letsencrypt blocking cert-manager v0.11?

Oh, okay, that’s good to hear. Did you just use the documentation to figure out what exactly to do?

That’s correct. This is the document I followed.

1 Like

I followed those steps, and I see the request to letsencrypt for my cert but then I never get a response
certmanager v0.11

Normal Requested 34m cert-manager Created new CertificateRequest resource “MY-DOMAIN-com-tls-2721100191”
note this is stuck after 34m

From the logs
I1107 20:47:39.000655 1 sync.go:479] cert-manager/controller/certificates “level”=0 “msg”=“CertificateRequest is not in a final state, waiting until CertificateRequest is complete” “related_resource_kind”=“CertificateRequest” “related_resource_name”=“DOMAIN.XXXXX-com-tls-2721100191” “related_resource_namespace”=“DOMAIN” “resource_kind”=“Certificate” “resource_name”=“DOMAIN.XXXXX-com-tls” “resource_namespace”="" “state”=“Pending”

I reverted to v0.10.0 and I am up and running for now

1 Like

We started seeing the same error on Tuesday:
E1108 18:51:27.547829 1 controller.go:180] certificates controller: Re-queuing item "" due to error processing: acme: urn:ietf:params:acme:error:rateLimited: Your ACME client is too old. Please upgrade to a newer version.

Then we upgraded to v 0.8.2 but the problem didn’t go away. Based on the discussion going on above, I should be able to get it working on v0.8.2.

Am I missing something, @JamesLE?

Hi, @fulhaq,

v0.8.2 will be OK. Is it possible that error message is stale, and your v0.8.2 installation hasn’t actually resubmitted the item?

Hi, welcome to the forum! From the cert-manager release page it looks like there was never a v0.8.2. I also see no entries from v0.8.2 in our logs. Are you sure you have the version number right?

1 Like

James, thank you so much for your prompt response. It was indeed a problem with the incorrect version of cert-manager installed. I was able to bring it up to 10.1 and everything started working.

3 Likes

I had mis-typed the version. it was actually 0.7.2 that i had installed. My helm/fluxd was reverting cert-manager install to version 0.5.2. All started working once I upgraded to 0.10.1. I’m sure it would’ve worked with version 0.7.2 as well but I went ahead and installed the newer version of cert-manager. Thank you for your input!

4 Likes

This is happening for a somewhat different reason for me today. When I invoke “helm install stable/cert-manager” from the 00-creds.yaml file jetstack/cert-manager repo, kubernetes launches version 0.6.2 rather than 0.11.

“orders controller: Re-queuing item “instantlinux/nexus.instantlinux.net-1402059900” due to error processing: error creating new order: acme: urn:ietf:params:acme:error:rateLimited: Your ACME client is too old. Please upgrade to a newer version.”

2 Likes

The helm cert-manager chart is deprecated per https://github.com/helm/charts/tree/master/stable/cert-manager

This Helm chart is deprecated. All future changes to the cert-manager Helm chart should be made in the official repository. The latest version of the chart can be found on the Helm Hub.

Check out the link below for functioning instructions to install the latest cert-manager.

3 Likes

I hope this project (jetstack/certm-manager) overall gets to a proper 1.0 level of stability soon. My installation has been undermined by similar deprecations 2 or 3 times since I started using it. Any suggestions on automatically monitoring status of my certs so I’ll know before things start failing if yet another installation-method update becomes necessary?

2 Likes

Hi @richb94114,

You should subscribe to the API announcements topic on the forum. As for certificate monitoring,
there are many ways to test upcoming certificate expiry. I personally have used all of these methods. Pick whatever tool is the easiest for you to understand and implement.

Using openssl

$ echo | openssl s_client -connect "letsencrypt.org":443 -servername "letsencrypt.org" -verify_hostname "letsencrypt.org" 2>/dev/null | openssl x509 -noout -startdate -enddate
notBefore=Sep 29 16:33:36 2019 GMT
notAfter=Dec 28 16:33:36 2019 GMT

Using Sensu/Nagios checks

Using Prometheus and Alertmanager

Free services

4 Likes

Super-helpful, thanks Phil!

3 Likes

Hardenize also has some really nice certificate-expiration notification functions.

Keep in mind you should always keep your ACME client up-to-date. This is particularly true for cert-manager, since they have been fixing a lot of excessive-traffic bugs and we have been blocking older versions correspondingly.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.