Apologies for not filling out the standard forms, I think this may be a 'nothing' question, but simply wanted to confirm behaviour. I have installed cert-manager on a number of clusters, and then deployed a cluster-issuer and everything worked great, I use nginx ingress controllers to route traffic to our services and have successfully been using lets-encrypt by adding the annotation cert-manager.io/cluster-issuer: cluster-issuer and providing a secret value.
One of the clusters I created a few months ago caused a cert-expiry-bot email to go out, which is great! I like to know these things. We use argocd for our deployments, and it looks to me like a new certificate was created after the 60 day period, and I was just wondering if I need to do anything, or if I simply got that email because one was going to expire and it will switch over itself gracefully.
I can't actually check the cert directly.... We use cloudflare to proxy our web apps, so the certs are generally only serving traffic to cloudflare (we did used to use their origin certs that last 15 years, but then we have to write them to the clusters/namespaces etc and its just a bit of hassle)
The certs you see when visiting our sites are the cloudflare ones. The only time that these letsencrypt certs are exposed are via a rabbitmq ingestion endpoint, as its on a random port and cloudflare will only proxy 80/443 so we just use it for DNS in that instance.
Alas, there's no place for me to browse the exposed endpoint as its not a traditional website, its really for amqp traffic only. Its awkward for sure.
If I understand right you have a service on a non-standard port that uses the LE cert. But, you have a public DNS A (AAAA?) record for it.
Does a command like this work to show the cert?
echo | openssl s_client -connect DOMAIN:PORT | head
Where DOMAIN is the domain of the endpoint and PORT is the port
If you need to reach the Origin by public IP address you can use:
echo | openssl s_client -connect X.X.X.X:PORT --servername DOMAIN | head
Where X.X.X.X is the public IP of your Origin server and domain and port as above
That said, as the previous volunteers pointed out you can look at your cert history with a tool like https://crt.sh (or Let's Debug Toolkit). And, compare that carefully to the email you received. It is almost always because you got certs with different combinations of names.
These openssl commands should show you the cert being actively used.
Ah! https://crt.sh/ does work and says that it will expire in a week.... so that implies its not using the second cert that has been generated. I wonder if I just delete/recreate the service will it work.
There are two cert requests, one 3 months ago and one from 19 days ago. The 'new' one has cert-manager.io/certificate-revision: '2' so it has generated something new, it just seems that its not been picked up by the ingress maybe. As looking at crt.sh results I can see Not After : Feb 13 14:58:51 2025 GMT
Are the list of SANs domain names the same in both certs? In crt.sh you will need to click the cert detail and scroll down. The Let's Debug toolkit search is an easier display for this.
Using actual domain names would make this easier. We can look at it using any tooling we have and explain exactly what is happening.
