Production certificate of mvp-preview-idp-ra.centralus.cloudapp.azure.com seems to be expired.Please help to re-new the certificate for this domain.This is really urgent need

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mvp-preview-idp-ra.centralus.cloudapp.azure.com

I ran this command: kubectl get certificates -n mvp-preview

It produced this output:
NAME READY SECRET AGE
mvp-preview-idp-ra.centralus.cloudapp.azure.com True mvp-preview-idp-ra.centralus.cloudapp.azure.com 131d

My web server is (include version):

The operating system my web server runs on is (include version): WSL2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

Please find the issuer status
kubectl get issuer -n mvp-preview
NAME READY AGE
letsencrypt-prod True 131d
letsencrypt-staging True 131d

Below are the describe output of the certificate ,

kubectl describe certificates -n mvp-preview

Name: mvp-preview-idp-ra.centralus.cloudapp.azure.com
Namespace: mvp-preview
Labels:
Annotations:
API Version: cert-manager.io/v1
Kind: Certificate
Metadata:
Creation Timestamp: 2022-07-01T13:39:35Z
Generation: 2
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:ownerReferences:
.:
k:{"uid":"50e8146e-624a-4472-ad43-3e74dac3f283"}:
f:spec:
.:
f:dnsNames:
f:issuerRef:
.:
f:group:
f:kind:
f:name:
f:secretName:
f:usages:
Manager: cert-manager-ingress-shim
Operation: Update
Time: 2022-07-01T13:39:34Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:conditions:
k:{"type":"Ready"}:
.:
f:lastTransitionTime:
f:message:
f:observedGeneration:
f:reason:
f:status:
f:type:
f:notAfter:
f:notBefore:
f:renewalTime:
Manager: cert-manager-certificates-readiness
Operation: Update
Subresource: status
Time: 2022-07-01T13:44:25Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:failedIssuanceAttempts:
f:lastFailureTime:
f:revision:
Manager: cert-manager-certificates-issuing
Operation: Update
Subresource: status
Time: 2022-11-06T11:09:24Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:nextPrivateKeySecretName:
Manager: cert-manager-certificates-key-manager
Operation: Update
Subresource: status
Time: 2022-11-06T12:09:24Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:conditions:
.:
k:{"type":"Issuing"}:
.:
f:lastTransitionTime:
f:message:
f:observedGeneration:
f:reason:
f:status:
f:type:
Manager: cert-manager-certificates-trigger
Operation: Update
Subresource: status
Time: 2022-11-06T12:09:24Z
Owner References:
API Version: networking.k8s.io/v1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: admin-service-ingress
UID: 50e8146e-624a-4472-ad43-3e74dac3f283
Resource Version: 86525879
UID: ecd64ddd-2e4a-4caa-9558-edc32023aa1c
Spec:
Dns Names:
mvp-preview-idp-ra.centralus.cloudapp.azure.com
Issuer Ref:
Group: cert-manager.io
Kind: Issuer
Name: letsencrypt-prod
Secret Name: mvp-preview-idp-ra.centralus.cloudapp.azure.com
Usages:
digital signature
key encipherment
Status:
Conditions:
Last Transition Time: 2022-07-01T13:44:25Z
Message: Certificate is up to date and has not expired
Observed Generation: 2
Reason: Ready
Status: True
Type: Ready
Last Transition Time: 2022-11-06T12:09:24Z
Message: Renewing certificate as renewal was scheduled at 2022-10-29 11:44:47 +0000 UTC
Observed Generation: 2
Reason: Renewing
Status: True
Type: Issuing
Failed Issuance Attempts: 1
Last Failure Time: 2022-11-06T11:09:24Z
Next Private Key Secret Name: mvp-preview-idp-ra.centralus.cloudapp.azure.com-n2tnb
Not After: 2022-11-28T11:44:47Z
Not Before: 2022-08-30T11:44:48Z
Renewal Time: 2022-10-29T11:44:47Z
Revision: 4
Events:
gsingh34@IDPWVDDEV038:~$

There should be an active cert available:
crt.sh | mvp-preview-idp-ra.centralus.cloudapp.azure.com

What shows?:
certbot certificates

2 Likes

Below are the output, I also feel that production certificate for this domain not expired.But, the https connections for this domain stopped working.Hence, its a matter to worry about what has happened with this certificate.

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


No certs found.


cat /var/log/letsencrypt/letsencrypt.log
cat: /var/log/letsencrypt/letsencrypt.log: Permission denied
gsingh34@IDPWVDDEV038:~$ sudo cat /var/log/letsencrypt/letsencrypt.log
2022-11-09 17:09:53,036:DEBUG:certbot.main:certbot version: 0.40.0
2022-11-09 17:09:53,036:DEBUG:certbot.main:Arguments:
2022-11-09 17:09:53,047:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-11-09 17:09:53,095:DEBUG:certbot.log:Root logging level set at 20
2022-11-09 17:09:53,095:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log

Also, I just checked the challenges status for mvp-preview namespace , please find the below details and let us know the solution.Thanks.

kubectl describe challenges -n mvp-preview
Name: mvp-preview-idp-ra.centralus.cloudapp.azure.com-2wbr-1640569823
Namespace: mvp-preview
Labels:
Annotations:
API Version: acme.cert-manager.io/v1
Kind: Challenge
Metadata:
Creation Timestamp: 2022-11-06T12:09:26Z
Finalizers:
finalizer.acme.cert-manager.io
Generation: 1
Managed Fields:
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:ownerReferences:
.:
k:{"uid":"77681d18-67a7-4f9f-b3c4-feb1f8af3784"}:
f:spec:
.:
f:authorizationURL:
f:dnsName:
f:issuerRef:
.:
f:group:
f:kind:
f:name:
f:key:
f:solver:
.:
f:http01:
.:
f:ingress:
.:
f:class:
f:token:
f:type:
f:url:
f:wildcard:
Manager: cert-manager-orders
Operation: Update
Time: 2022-11-06T12:09:26Z
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:finalizers:
.:
v:"finalizer.acme.cert-manager.io":
Manager: cert-manager-challenges
Operation: Update
Time: 2022-11-06T12:09:27Z
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:presented:
f:processing:
f:reason:
f:state:
Manager: cert-manager-challenges
Operation: Update
Subresource: status
Time: 2022-11-06T12:09:29Z
Owner References:
API Version: acme.cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: Order
Name: mvp-preview-idp-ra.centralus.cloudapp.azure.com-2wbr-387783086
UID: 77681d18-67a7-4f9f-b3c4-feb1f8af3784
Resource Version: 86525964
UID: 23e2fa7d-2efb-4845-8487-40a98541030d
Spec:
Authorization URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/173044912677
Dns Name: mvp-preview-idp-ra.centralus.cloudapp.azure.com
Issuer Ref:
Group: cert-manager.io
Kind: Issuer
Name: letsencrypt-prod
Key: FYlkenhICZrkkAmTUT7wqRXmcYQ3Pwdk7fji73DPi0M.5kL5IfRKYKxXCQ8WGQgWNOoXjK8SIfqMWLFh-HWcLUI
Solver:
http01:
Ingress:
Class: nginx
Token: FYlkenhICZrkkAmTUT7wqRXmcYQ3Pwdk7fji73DPi0M
Type: HTTP-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/173044912677/A7c1oA
Wildcard: false
Status:
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://mvp-preview-idp-ra.centralus.cloudapp.azure.com/.well-known/acme-challenge/FYlkenhICZrkkAmTUT7wqRXmcYQ3Pwdk7fji73DPi0M': Get "http://mvp-preview-idp-ra.centralus.cloudapp.azure.com/.well-known/acme-challenge/FYlkenhICZrkkAmTUT7wqRXmcYQ3Pwdk7fji73DPi0M": dial tcp 13.86.32.78:80: connect: connection refused
State: pending
Events:

I guess you are not using certbot.
From the output, you might be using cert-manager ?

3 Likes

yes cert-manager

This error stated that domain validation is failing because it can't perform the required http request to your system. Check you haven't closed TCP port 80 on the firewall which applies to this system.

3 Likes

The TCP and port 80 is already opened and there is no firewall in system configured.

Then keep looking...
Something is preventing access from the Internet to:
http://mvp-preview-idp-ra.centralus.cloudapp.azure.com/

3 Likes

so, could you please confirm, whether any issues at https certificate level OR its a system related issue?

The renewal problem is NOT HTTPS related.

3 Likes

I am still not able to find what is the cause of this,
its mvp-preview2 domain is also in the same public domain AKS cluster which is working but mvp-preview is not working.
I did curl as below,

curl http://mvp-preview-idp-ra.centralus.cloudapp.azure.com/idp/typesystem/swagger-ui/
dial tcp 10.23.0.69:0->13.86.32.78:80: i/o timeout

That is the HTTP problem you need to resolve [before LE can issue a cert via HTTP-01 authentication].

3 Likes