Cert-manager: ErrorIssuerNotReady error when adding staging certificate on Azure AKS

Created on 9 May 2018  路  5Comments  路  Source: jetstack/cert-manager

Is this a BUG REPORT or FEATURE REQUEST?:

Uncomment only one, leave it on its own line:

/kind bug

What happened:
I'm using an Azure AKS cluster and followed this tutorial here: https://blog.n1analytics.com/free-automated-tls-certificates-on-k8s/

Installed stable/nginx-ingress and stable/cert-manager via Helm to my kube-system namespace, RBAC disabled. Created a staging issuer, then a test certificate. When I create the test certificate against the staging issuer, I receive the following from kubectl describe certificate test-todo-aks-cluster-com:

  Type     Reason               Age              From                     Message
  ----     ------               ----             ----                     -------
  Warning  ErrorIssuerNotReady  1m (x5 over 3m)  cert-manager-controller  Issuer letsencrypt-staging not ready

What you expected to happen:
I expect the certificate to be issued

How to reproduce it (as minimally and precisely as possible):
Following the tutorial above, AKS cluster, up to creating a staging certificate

Anything else we need to know?:

Environment:

  • Kubernetes version (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.2", GitCommit:"5fa2db2bd46ac79e5e00a4e6ed24191080aa463b", GitTreeState:"clean", BuildDate:"2018-01-18T10:09:24Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.6", GitCommit:"9f8ebd171479bec0ada837d7ee641dec2f8c6dd1", GitTreeState:"clean", BuildDate:"2018-03-21T15:13:31Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
  • Cloud provider or hardware configuration**: Azure
  • Install tools: Azure CLI, Helm v2.0.32
  • Others: N/A
kinbug
Source
picture brbarnett
👍4

Most helpful comment

Which version of cert-manager are you using? If you are using the latest alpha then changing your issuer to use ACME v2 staging URL (https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) might help. At least it fixed my almost identical issue.

picture teelahti on 11 May 2018
3

All 5 comments

Update: I went into the logs (kubectl logs deployment/cert-manager-cert-manager cert-manager --namespace kube-system -f) and am seeing the following on repeat:

I0509 21:24:47.083419       1 sync.go:40] Error initializing issuer: 504 : <HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>
An error occurred while processing your request.<p>
Reference&#32;&#35;97&#46;c9fd4317&#46;1525901087&#46;6b426b
</BODY></HTML>

Getting an error 504, which is gateway timeout. I can hit my domain, so I know the static IP, DNS and ingress controller are all working -- just an insecure connection when I open the page. I do still get the 404.

brbarnett picture brbarnett on 9 May 2018

This issue appears to only occur with the ACME staging URL -- production works. Perhaps I misunderstood how the staging issuer works, but the error I was receiving (Issuer letsencrypt-staging not ready) is not clear to me.

brbarnett picture brbarnett on 10 May 2018

Which version of cert-manager are you using? If you are using the latest alpha then changing your issuer to use ACME v2 staging URL (https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) might help. At least it fixed my almost identical issue.

teelahti picture teelahti on 11 May 2018
3

That ACME staging server was unavailable for ~24h due to planned maintenance. It should work today - I'm going to close this issue, but re-open if I am wrong and you still experience this issue!

/close

munnerz picture munnerz on 11 May 2018

I am using AKS to create a SSL cert with lets encrypt. I installed cert-manager using helm.

I created a CA cluster issuer:

Shawns-Personal-MacBook-Pro:~ shawnvarughese$ kubectl describe ClusterIssuer
Name:         letsencrypt-prod
Namespace:    
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"ClusterIssuer","metadata":{"annotations":{},"name":"letsencrypt-prod","namespace":""},"spec":{"acme...
API Version:  certmanager.k8s.io/v1alpha1
Kind:         ClusterIssuer
Metadata:
  Creation Timestamp:  2018-12-09T19:35:56Z
  Generation:          1
  Resource Version:    890789
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/clusterissuers/letsencrypt-prod
  UID:                 a5bba453-fbe9-11e8-9108-0ea4bd565112
Spec:
  Acme:
    Email:  [email protected]
    Http 01:
    Private Key Secret Ref:
      Name:  letsencrypt-prod
    Server:  https://acme-v02.api.letsencrypt.org/directory
Events:      <none>

Created a certificate object:

    Shawns-Personal-MacBook-Pro:~ shawnvarughese$ kubectl describe certificates
Name:         tls-secret
Namespace:    default
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Certificate","metadata":{"annotations":{},"name":"tls-secret","namespace":"default"},"spec":{"acme"...
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2018-12-10T17:09:05Z
  Generation:          1
  Resource Version:    890853
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/tls-secret
  UID:                 4ccd87c3-fc9e-11e8-9108-0ea4bd565112
Spec:
  Acme:
    Config:
      Domains:
        mydomain.com
      Http 01:
        Ingress Class:  nginx
  Dns Names:
    mydomain.com
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-prod
  Secret Name:  tls-secret
Events:         <none>

Created Ingress: 

Shawns-Personal-MacBook-Pro:~ shawnvarughese$ kubectl describe Ingress
Name:             my-ingress
Namespace:        default
Address:          
Default backend:  default-http-backend:80 (<none>)
TLS:
  tls-secret terminates mydomain.com
Rules:
  Host             Path  Backends
  ----             ----  --------
  mydomain.com  
                   /   web:8080 (<none>)
Annotations:
  kubernetes.io/ingress.class:                       nginx
  kubernetes.io/tls-acme:                            true
  nginx.ingress.kubernetes.io/rewrite-target:        /
  certmanager.k8s.io/cluster-issuer:                 letsencrypt-prod
  kubectl.kubernetes.io/last-applied-configuration:  {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"certmanager.k8s.io/cluster-issuer":"letsencrypt-prod","kubernetes.io/ingress.class":"nginx","kubernetes.io/tls-acme":"true","nginx.ingress.kubernetes.io/rewrite-target":"/"},"name":"my-ingress","namespace":"default"},"spec":{"rules":[{"host":"mydomain.com","http":{"paths":[{"backend":{"serviceName":"web","servicePort":8080},"path":"/"}]}}],"tls":[{"hosts":["mydomain.com"],"secretName":"tls-secret"}]}}

Events:  <none>

As you can see the events for the Certificate is none so its not even creating the order. Not sure why it would not even create the order or even throw a error.

svarughese91 picture svarughese91 on 11 Dec 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Azylog picture Azylog  路  3Comments
munjal-patel picture munjal-patel  路  3Comments
jonathan-kosgei picture jonathan-kosgei  路  4Comments
jbeda picture jbeda  路  4Comments
f-f picture f-f  路  4Comments