Problem with cert-manager and first time install on kubernetes cluster

Conditions:
Last Transition Time: 2023-01-23T11:41:16Z
Message: Certificate is up to date and has not expired
Observed Generation: 1
Reason: Ready
Status: True
Type: Ready
Last Transition Time: 2023-01-23T11:41:15Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: True
Type: Issuing
Next Private Key Secret Name: quickstart-example-tls-jc4j6
Not After: 2023-04-23T11:41:16Z
Not Before: 2023-01-23T11:41:16Z
Renewal Time: 2023-03-24T11:41:16Z
Events:
Type Reason Age From Message


Normal Issuing 42s cert-manager-certificates-trigger Issuing certificate as Secret does not exist
Normal Generated 42s cert-manager-certificates-key-manager Stored new private key in temporary Secret resource "quickstart-example-tls-jc4j6"
Normal Requested 41s cert-manager-certificates-request-manager Created new CertificateRequest resource "quickstart-example-tls-tdfqb"
Normal Issuing 41s cert-manager-certificates-issuing Issued temporary certificate

That isn't a "temporary" certificate, it's a certificate that's valid for 90 days--which is all that Let's Encrypt issues. It will renew in 60 days,

5 Likes

What do you mean temporary? 90 days is the expected lifetime.

Does it work? Other issues?

5 Likes

Hi @vishall1166, and welcome to the LE community forum :slight_smile:

"Why i am getting temporary certificate?"
Because... There is no thing as a permanent certificate.
All certificates issued by all global CAs are "temporary".

4 Likes

it is not working. showing me 90 days period but not showing me https.
sign

signature

Then that is a use problem.
It would seem that your web service is NOT using the (new) certificate.

4 Likes

What's the actual error it's showing you?

5 Likes

Please tell us your domain name. We want to see ourselves.

A certificate with valid dates but recognized as unsafe can be a lot of different issues, starting with a wrong clock on your PC.

6 Likes

Maybe you can't see the image uploaded.
It shows:
"Not secure | https://..."

3 Likes

Yes, I can see that--but the "not secure" indicates a specific error, which the browser has given somewhere, but the user hasn't shared with us. That's what I'm asking for.

It would seem that your web service is NOT using the (new) certificate.

This is obviously not the case, because the browser is showing the correct issue and expiration dates.

3 Likes

That is a very good point.

We should "start over".
@vishall1166, you never got this "questionnaire" because you chose "Issuance Tech".
But this a a regular "Help" request and as such has been moved to "Help".


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

4 Likes

my domain is "www.billapaji.com"

OK, so your site is using a self-signed cert that's also (for some reason) valid for 90 days. So what does your question have to do with Let's Encrypt?

4 Likes

why it still showing me http?

It isn't; it's showing HTTPS. But since your site isn't using the Let's Encrypt certificate you got a month ago, but rather a self-signed certificate, you're getting a certificate error. Configure your site to use the correct cert and that error will go away. Nobody here can tell you how to do that--certainly not without your answers to the questions we've asked you.

5 Likes

cert-manager will create self-signed certfiicate by default:

this shows how to use acme protocal: but keep mind exemple config use staging env: change server to prod api https://acme-v02.api.letsencrypt.org/directory will do

looking at their tutorials it looks more like internal management (like smallstep) than get external certificate like certbot and acme is afterthought

6 Likes

4 Likes

Who hosts your site?
Who is the admin?

3 Likes

I am the admin. Please help me. How can I generate a certificate? Do I need to use cert-manager or certbot?
pending

There may be more than one ACME client that fits your needs.

Please answer all of the questions:


And: Who manages the Kubernetes?

4 Likes