Multi-level sub domain support AWS EKS

irfanjs · March 7, 2024, 9:53am

We are using lets encrypt certificate since long time and it was working fine till recently.
we have created approx 100 + URLs (single level and multilevel sub-domain).
Suddenly it stopped working in last few days while adding the new URLs.

My domain is: Oneenterprise.com

I ran the below command

kubectl get ingress -A ,
The output of this command , shows the ingress entries .
When we browse the URLs , it shows the application working but the SSL certificate is not issued / assigned

It produced this output:

root@CSX-Irfan:/home/irfan# kubectl get ingress -A
NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE
cloudcontroller oe-cloud-controller nginx-lc000 cloudcontroller.am.dev.oneenterprise.com ae3d4e78f646f4bf78aaaf198fefa38e-899486150.us-east-1.elb.amazonaws.com 80, 443 6d21h
cloudcontroller oe-cloud-controller-qa nginx-lc000 cloudcontroller.am.qa.oneenterprise.com ae3d4e78f646f4bf78aaaf198fefa38e-899486150.us-east-1.elb.amazonaws.com 80, 443 6d21h

My web server is (include version):
the environment is , AWS EKS cluster , version , 1.28
we are using ngnix ingress controller and all entries are added using yaml files .

The operating system my web server runs on is (include version):
we are using ubuntu OS

My hosting provider, if applicable, is:
Lets encrypt certificate . using cert manager . from bitnami helm package manager

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No, we don't use control panel . Instead we use kubectl command line tools to manage the certificates and secrets .

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.21.0

MikeMcQ · March 7, 2024, 12:21pm

In the public cert logs I see many certs of subdomains of oneenterprise.com issued every day including today. Do you think all of them are failing or just some?

Can you explain more details of problem? Do you have a log or more details of an error message?

Those are two different ACME Clients. Can you explain why you would be using both? If you are using cert-manager you normally would not be using Certbot also.

irfanjs · March 7, 2024, 7:19pm

Thanks @MikeMcQ

Here are the more logs for the particular URL : https://magboeh10.am.dev.oneenterprise.com/

failed to list *v1.Challenge: the server could not find the requested resource (get challenges.acme.cert-manager.io)
W0307 14:49:45.383350 1 reflector.go:539] k8s.io/client-go@v0.29.0/tools/cache/reflector.go:229: failed to list *v1.Challenge: the server could not find the requested resource (get challenges.acme.cert-manager.io)
E0307 14:49:45.383390 1 reflector.go:147] k8s.io/client-go@v0.29.0/tools/cache/reflector.go:229: Failed to watch *v1.Challenge: failed to list *v1.Challenge: the server could not find the requested resource (get challenges.acme.cert-manager.io)
W0307 14:50:32.643856 1 reflector.go:539] k8s.io/client-go@v0.29.0/tools/cache/reflector.go:229: failed to list *v1.Challenge: the server could not find the requested resource (get challenges.acme.cert-manager.io)
E0307 14:50:32.643909 1 reflector.go:147] k8s.io/client-go@v0.29.0/tools/cache/reflector.go:229: Failed to watch *v1.Challenge: failed to list *v1.Challenge: the server could not find the requested resource (get challenges.acme.cert-manager.io)
E0307 14:50:45.720043 1 controller.go:167] "re-queuing item due to error processing" err="the server could not find the requested resource (post challenges.acme.cert-manager.io)" logger="cert-manager.orders" key="lc001/zim.oneenterprise.com-tls-1-977685139"
E0307 14:51:06.607069 1 controller.go:167] "re-queuing item due to error processing" err="the server could not find the requested resource (post challenges.acme.cert-manager.io)" logger="cert-manager.orders" key="lc001/magboeh10.am.dev.oneenterprise.com-tls-1-2010739064"

Im able to browse the application but without HTTPS
Further , we are using cert-manager and not the certbot. Sorry for the confusion

further , i followed below links and tried but no luck

github.com/cert-manager/cert-manager

Secrets not being cleaned up

opened 12:24AM - 31 Jul 19 UTC

closed 09:58AM - 07 Sep 19 UTC

richstokes

kind/bug

**Describe the bug**: We've been seeing a lot of errors in our logs like this: … `cert-manager/secret-mapper "msg"="unable to fetch certificate that owns the secret" "error"="Certificate.certmanager.k8s.io \"example-tls4\" not found" "certificate"={"Namespace":"default","Name":"example-tls4"} "secret"={"Namespace":"default","Name":"example-tls4"` I believe cert-manager is looking at the secret and trying to do *something*(?) with it. However the resource which owned the secret has been deleted. In this case only the secret remained. Nothing under `kubectl get certificates`. Would it not make sense for cert-manager to automatically clean up these secrets once the resource/ingress has been deleted? **Expected behavior**: Orphaned secrets would be garbage collected/deleted **Steps to reproduce the bug**: Delete an ingress resource, the secret will remain. **Anything else we need to know?**: **Environment details:**: - Kubernetes version (e.g. v1.10.2): v1.12.8 - Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): AWS/kops - cert-manager version (e.g. v0.4.0): v0.8.1 - Install method (e.g. helm or static manifests): static /kind bug

github.com

cert-manager/cert-manager/blob/f1d591a5317fda693a8df755e4c9ceaece998dbb/cmd/controller/app/options/options.go#L275-L277


      
          	fs.BoolVar(&s.EnableCertificateOwnerRef, "enable-certificate-owner-ref", defaultEnableCertificateOwnerRef, ""+
          		"Whether to set the certificate resource as an owner of secret where the tls certificate is stored. "+
          		"When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted.")

please suggest

MikeMcQ · March 7, 2024, 7:49pm

Those errors look like cert-manager trying to validate the acme challenge before it makes the cert request to the Let's Encrypt server. If the error was from the LE Server connecting to your domain the error messages would be very different. This points to a configuration problem in your setup. I am not a K8s expert so will not be able to help you debug that. Maybe someone else here will or try a different forum.

I don't see that you ever got a cert for magboeh10.am.dev.oneenterprise.com

I see you got a cert for your papad subdomain today. That looks to be using AWS ELB too. Are you sure mabgoeh10.am.dev is configured the same as your other ones that are working?

Here is a debug resource for cert-manager

system · April 6, 2024, 7:49pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to get secret after running certificate yml Help	37	1901	October 19, 2022
Cert-Manager, Letsencrypt in Kubernetes not giving me a Certification Help	2	5636	April 28, 2023
HTTPS encryption is not active for my domain. My Order certificates is not completed Server	7	5301	April 20, 2019
Issues with getting a certificate in kubernetes Help	5	5763	November 9, 2022
AWS EKS Letsencrypt - ACME certificates expired and unable to renew automatically Help	2	980	August 5, 2023

Multi-level sub domain support AWS EKS

Related topics