Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
786 views
in Technique[技术] by (71.8m points)

kubernetes - Cert-Manager: renewing dns01 certificate not working

We are using Cert-manager to manage the tls certifications for a website. The website's certificate expired yesterday, I tried to investigate why cert-manager was not doing its job.

I have checked the details of certificate fakename-io-cert, looks like cert-manager tried to renew the cert one month ago?:

$ kubectl describe cert/fakename-io-cert

Name:         fakename-io-cert
Namespace:    stage
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2020-10-28T17:10:08Z
  Generation:          1
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:commonName:
        f:dnsNames:
        f:issuerRef:
          .:
          f:kind:
          f:name:
        f:privateKey:
          .:
          f:rotationPolicy:
        f:secretName:
    Manager:      kubectl
    Operation:    Update
    Time:         2020-10-28T17:10:08Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
        f:nextPrivateKeySecretName:
        f:notAfter:
        f:notBefore:
        f:renewalTime:
        f:revision:
    Manager:         controller
    Operation:       Update
    Time:            2021-01-27T20:26:11Z
  Resource Version:  28153132
  Self Link:         /apis/cert-manager.io/v1/namespaces/stage/certificates/fakename-io-cert
  UID:               193717dd-0c00-43c5-8bde-5b7f981a5558
Spec:
  Common Name:  *.fakename.io
  Dns Names:
    fakename.io
    *.fakename.io
  Issuer Ref:
    Kind:  ClusterIssuer
    Name:  letsencrypt-prod
  Private Key:
    Rotation Policy:  Always
  Secret Name:        cert-stage-wildcard
Status:
  Conditions:
    Last Transition Time:        2021-01-27T20:26:11Z
    Message:                     Certificate expired on Tue, 26 Jan 2021 16:10:10 UTC
    Reason:                      Expired
    Status:                      False
    Type:                        Ready
    Last Transition Time:        2020-12-27T16:10:10Z
    Message:                     Renewing certificate as renewal was scheduled at 2020-12-27 16:10:10 +0000 UTC
    Reason:                      Renewing
    Status:                      True
    Type:                        Issuing
  Next Private Key Secret Name:  fakename-io-cert-cjmpk
  Not After:                     2021-01-26T16:10:10Z
  Not Before:                    2020-10-28T16:10:10Z
  Renewal Time:                  2020-12-27T16:10:10Z
  Revision:                      1
Events:                          <none>

The following are the information of other related resources, such as certificaterequests, certificates, secrets:

$ kubectl get certificaterequests  
NAME                     READY   AGE
fakename-io-cert-8nxb6   False   31d
fakename-io-cert-k79kq   True    91d

$ kubectl get certificates
NAME               READY   SECRET                AGE
fakename-io-cert   False   cert-stage-wildcard   91d

$ kubectl get secrets
NAME                              TYPE                                  DATA   AGE
cert-stage-wildcard               kubernetes.io/tls                     2      91d
fakename-io-cert-cjmpk            Opaque                                1      31d

$ kubectl describe secrets/cert-stage-wildcard
Name:         cert-stage-wildcard
Namespace:    stage
Labels:       <none>
Annotations:  cert-manager.io/alt-names: *.fakename.io,fakename.io
              cert-manager.io/certificate-name: fakename-io-cert
              cert-manager.io/common-name: *.fakename.io
              cert-manager.io/ip-sans: 
              cert-manager.io/issuer-group: 
              cert-manager.io/issuer-kind: ClusterIssuer
              cert-manager.io/issuer-name: letsencrypt-prod
              cert-manager.io/uri-sans: 

Type:  kubernetes.io/tls

Data
====
tls.crt:  3570 bytes
tls.key:  1675 bytes

$ kubectl describe secrets/fakename-io-cert-cjmpk
Name:         fakename-io-cert-cjmpk
Namespace:    stage
Labels:       cert-manager.io/next-private-key=true
Annotations:  <none>

Type:  Opaque

Data
====
tls.key:  1700 bytes

And then the ClusterIssuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    email: [email protected]
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: issuer-account-key
    solvers:
      - selector:
          dnsNames:
          - fakename.io
        dns01:
          digitalocean:
            tokenSecretRef:
              name: digitalocean-dns
              key: do-access-token

Anyone has any idea of why this is not working?

UPDATE: The following logs are found in cert-manager's logs:

I0122 20:40:15.494843       1 reflector.go:207] Starting reflector *v1.Secret (30s) from external/io_k8s_client_go/tools/cache/reflector.go:156
I0122 20:40:15.495228       1 reflector.go:207] Starting reflector *v1.Pod (30s) from external/io_k8s_client_go/tools/cache/reflector.go:156
E0122 20:40:15.527258       1 util.go:71] cert-manager/controller/certificaterequests/handleOwnedResource "msg"="error getting referenced owning resource" "error"="certificaterequest.cert-manager.io "fakename-io-cert-8nxb6" not found" "related_resource_kind"="CertificateRequest" "related_resource_name"="fakename-io-cert-8nxb6" "related_resource_namespace"="stage" "resource_kind"="Order" "resource_name"="fakename-io-cert-8nxb6-31268985" "resource_namespace"="stage" "resource_version"="v1" 
E0122 20:40:15.540473       1 util.go:71] cert-manager/controller/certificaterequests/handleOwnedResource "msg"="error getting referenced owning resource" "error"="certificaterequest.cert-manager.io "fakename-io-cert-k79kq" not found" "related_resource_kind"="CertificateRequest" "related_resource_name"="fakename-io-cert-k79kq" "related_resource_namespace"="stage" "resource_kind"="Order" "resource_name"="fakename-io-cert-k79kq-31268985" "resource_namespace"="stage" "resource_version"="v1" 
E0122 20:40:17.801204       1 controller.go:158] cert-manager/controller/orders "msg"="re-queuing item  due to error processing" "error"="ACME client for issuer not initialised/available" "key"="stage/fakename-io-cert-k79kq-31268985" 
E0122 20:40:17.850290       1 controller.go:158] cert-manager/controller/orders "msg"="re-queuing item  due to error processing" "error"="ACME client for issuer not initialised/available" "key"="stage/fakename-io-cert-8nxb6-31268985" 
I0122 20:40:17.917857       1 setup.go:170] cert-manager/controller/clusterissuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="issuer-account-key" "related_resource_namespace"="cert-manager" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-staging" "resource_namespace"="" "resource_version"="v1" 
I0122 20:40:17.919532       1 setup.go:170] cert-manager/controller/clusterissuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="issuer-account-key" "related_resource_namespace"="cert-manager" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-prod" "resource_namespace"="" "resource_version"="v1" 
E0122 20:40:23.180388       1 sync.go:110] cert-manager/controller/orders "msg"="Failed to determine the list of Challenge resources needed for the Order" "error"="no configured challenge solvers can be used for this challenge" "resource_kind"="Order" "resource_name"="fakename-io-cert-8nxb6-31268985" "resource_namespace"="stage" "resource_version"="v1" 
I0122 20:40:23.490123       1 setup.go:170] cert-manager/controller/clusterissuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="issuer-account-key" "related_resource_namespace"="cert-manager" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-prod" "resource_namespace"="" "resource_version"="v1" 
I0122 20:40:23.502923       1 setup.go:170] cert-manager/controller/clusterissuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="issuer-account-key" "related_resource_namespace"="cert-manager" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-staging" "resource_namespace"="" "resource_version"="v1" 
question from:https://stackoverflow.com/questions/65927833/cert-manager-renewing-dns01-certificate-not-working

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)
Waitting for answers

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...