Unable to get secret after running certificate yml

I have a domain which is in public domain in cloud env. and that has already having lets encrypt certs.
But, when I am creating another subdomain certificate, it is not generating TLS certificate in secret , only Key is there.
When I checked the order status it says in Pending state.
The domain has LoadBalancer IP, however the IP of the loadBalancer is not attached with service ingress, only HOSTNAME is coming up without LB IP ADDRESS.
How to solve this issue.Kindly Guide.Thanks.

2 Likes

It is possible that the ACME client precheck for http access to the subdomain name is failing because there is no ingress controller connected to respond for the subdomain name.

3 Likes

To me, you're talking a lot of gibberish, probably because I lack an understanding of the setup you're talking about. Let's start with the basics, in the form of the questionnaire you should have been presented with (or which you have deleted, either one of those) when opening this thread in the #help section. Please answer all the questions to the best of your knowledge:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

4 Likes

Sorry Osiris, I am not getting your point.
The workstation is not in 192.168.x.x , it is in 10.x.x.x series.
What will be the reason that A.example.com is able to retrieve the certificate.
However, B.example.com is unable to get lets encrypt certicate.
The subdomain B.example.com has connected with Ingress-controller.

Issuer Ref:
Name: letsencrypt-prod-mvp-preview2
Secret Name: B.example.com.centralus.cloudapp.azure.com
Status:
Conditions:
Last Transition Time: 2022-09-12T14:18:37Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: True
Type: Issuing
Last Transition Time: 2022-09-12T14:18:38Z
Message: Issuing certificate as Secret contains an invalid key-pair: tls: failed to find any PEM data in certificate input
Observed Generation: 2
Reason: InvalidKeyPair
Status: False
Type: Ready
Next Private Key Secret Name: mvp-preview2-idp-ra.centralus.cloudapp.azure.com-6mq88
Events:

1 Like

I am not using certbot, I have below yml file to generate certificate which gave above error messages, when I described the certificates error

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: B.example.centralus.cloudapp.azure.com
namespace: mvp-preview2
spec:
secretName: B.example.centralus.cloudapp.azure.com
issuerRef:
name: letsencrypt-prod-mvp-preview2
dnsNames:

1 Like

Below is the ingress output, which says that it has domain and ingress-class attached, but LB IP is not able to attach.Not sure the reason,

k get ingress -n mvp-preview2
NAME CLASS HOSTS ADDRESS PORTS AGE
B-service-ingress ingress-internal B.example.centralus.cloudapp.azure.com 80, 443 22h
cm-acme-http-solver-qgpgv B.example.centralus.cloudapp.azure.com 80 5h10m

====================================================

k get svc -n ingress-nginx-mvp-preview-2
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller LoadBalancer 10.0.130.70 52.189.31.62 80:30081/TCP,443:31400/TCP 20h
ingress-nginx-controller-admission ClusterIP 10.0.217.214 443/TCP 20h

1 Like

The questionnaire is usually the starting point of a thread to have the most basic information present to start with, instead of diving deep into very specific details. Having many details without the basics and without any cohesion often makes it difficult to understand the situation for outsiders.

5 Likes

Hello @gsingh86

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

3 Likes

My domain is: mvp-preview2-idp-ra.centralus.cloudapp.azure.com

I ran this command: kubectl get orders -A

It produced this output: mvp-preview2 mvp-preview2-idp-ra.centralus.cloudapp.azure.com-wv6-1904620340 pending 6h42m

My web server is (include version): Linux 5.10.16.3-microsoft-standard-WSL2 ( Workstation)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

The TSL secret is not generating for mvp-preview2-idp-ra.centralus.cloudapp.azure.com, causes unable to generate certificate

2 Likes

We have mvp-preview-idp-ra.centralus.cloudapp.azure.com, which already have TLS certificate and in the same subnet.
I am not getting why the mvp-preview2-idp-ra.centralus.cloudapp.azure.com, not able to retrieve certificate.
kubectl describe certificate output:
Issuer Ref:
Name: letsencrypt-prod-mvp-preview2
Secret Name: mvp-preview2-idp-ra.centralus.cloudapp.azure.com
Status:
Conditions:
Last Transition Time: 2022-09-12T14:18:37Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: True
Type: Issuing
Last Transition Time: 2022-09-12T14:18:38Z
Message: Issuing certificate as Secret contains an invalid key-pair: tls: failed to find any PEM data in certificate input
Observed Generation: 2
Reason: InvalidKeyPair
Status: False
Type: Ready
Next Private Key Secret Name: mvp-preview2-idp-ra.centralus.cloudapp.azure.com-6mq88
Events:

1 Like

I don't know your ACME client or config very well. But, it sounds like they should be similar yet they look different to me.

The DNS IP are to different IP. Is that intended?

nslookup mvp-preview-idp-ra.centralus.cloudapp.azure.com
Address: 13.86.32.78

nslookup mvp-preview2-idp-ra.centralus.cloudapp.azure.com
Address: 20.236.224.240

AND, I get an HTTP response from preview but not from preview2 (which times out)

curl -I -m10  mvp-preview-idp-ra.centralus.cloudapp.azure.com
HTTP/1.1 308 Permanent Redirect
Date: Sat, 17 Sep 2022 17:46:20 GMT
Location: https://mvp-preview-idp-ra.centralus.cloudapp.azure.com

curl -I -m10  mvp-preview2-idp-ra.centralus.cloudapp.azure.com
curl: (28) Connection timed out after 10000 milliseconds

The preview2 domain should respond on http if you are using the HTTP Challenge.

You may need to ask on a kubernetes forum for config help to resolve why this happens.

4 Likes

Hello Team,

These both subdomains belongs to same aks cluster and isolated with different namespace .
DNS is created with Public IP Address which has IP address provided by DHCP.

1 Like

And does that DHCP up DNS with updated A and/or AAAA Records when it issues a new IP Address?
And does that propagate all the way out to the Internet visible DNS servers?
And what is the TTL for those DNS Records?

2 Likes

It is all maintained by AKS , so difficult to describe about DHCP setup

1 Like

Forgive my ignorance, but who or what is AKS? :confused:

2 Likes

Azure Kubernetes service

2 Likes

Its a kubernetes cloud service provided by Azure.

2 Likes

I cannot do much on DNS side, can you suggest any alternatives?

1 Like

Can you choose another Challenge Types - Let's Encrypt or uses a a Wildcard certificate?

2 Likes

Can you share the steps for generating Wildcard certificate

1 Like