Cert-manager: The object has been modified issue when trying to get cert up and running

Created on 6 Jan 2020  路  7Comments  路  Source: jetstack/cert-manager

Describe the bug:
I'm trying to implement SSL certificate for my website. I believe that some changes have been made prior to what I'm doing right now. Because of that I suppose I've encountered some issues. Here's my cert-manager pod logs:

  • cert-manager/controller/certificaterequests-issuer-ca "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"admin-panel-com-tls-4116999858\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/admin-panel-com-tls-4116999858" - this happens few times in a row
  • cert-manager/controller/certificates "msg"="error decoding x509 certificate" "error"="error decoding cert PEM block" "related_resource_kind"="Secret" "related_resource_name"="admin-panel-com-tls" "related_resource_namespace"="default" "resource_kind"="Certificate" "resource_name"="admin-panel-com-tls" "resource_namespace"="default" "secret_key"="tls.crt"
  • and finally I'm getting: cert-manager/controller/certificaterequests-issuer-venafi "msg"="certificate request in work queue no longer exists" "error"="certificaterequest.cert-manager.io \"admin-panel-www-secret-tls-1525626961\" not found"

Expected behaviour:
Getting my SSL cert and enable HTTPS on my site.

Steps to reproduce the bug:
My issuer file looks like this:

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: '[email protected]'
    privateKeySecretRef:
      name: letsencrypt-prod-admin-panel
    http01: {}

My cert file:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: admin-panel-com-tls
spec:
  secretName: admin-panel-com-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: my.domain.me
  dnsNames:
    - my.domain.me
  acme:
    config:
      - http01:
          ingressClass: nginx
        domains:
          - my.domain.me

And finally my ingress file:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: admin-panel-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/use-regex: "true"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
  tls:
    - hosts:
        - my.domain.me
      secretName: admin-panel-com-tls
  rules:
  - host: my.domain.me
    http:
      paths:
        - path: /.*
          backend:
            serviceName: admin-panel-service
            servicePort: 3000
        - path: /api/.*
          backend:
            serviceName: admin-panel-server-service
            servicePort: 3001
        - path: /auth/.*
          backend:
            serviceName: admin-panel-server-service
            servicePort: 3001

Anything else we need to know?:

Yes, I believe some changes have been made (f.ex. cert-manager installation) in the cluster I'm using prior to what I'm trying to achieve right now but now sure this is the cause.

Environment details::

  • Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): GKE
  • cert-manager version (e.g. v0.4.0): 0.12
  • Install method (e.g. helm or static manifests): helm but not sure what has happened before my installation

/kind bug

kinbug
Source
picture barth12

Most helpful comment

FYI I am getting this with only one cert-manager installed. This is a brand new cluster. Tried to purge CRDs and reinstall - no help.

picture thavlik on 19 Mar 2020
👍20

All 7 comments

I found that I have multiple cert-managers installed and this was a cause of troubles for me.

barth12 picture barth12 on 7 Jan 2020

FYI I am getting this with only one cert-manager installed. This is a brand new cluster. Tried to purge CRDs and reinstall - no help.

thavlik picture thavlik on 19 Mar 2020
👍20

@thavlik
I had the same issue while following an outdated guide.
For me, the solution was to set the apiVersion of my issuer file to a recent version (cert-manager.io/v1alpha2)
See also: https://cert-manager.io/docs/configuration/acme/#creating-a-basic-acme-issuer

Hope this helps

nyjan picture nyjan on 21 Mar 2020

I am using cert-manager.io/v1alpha2 and still bumping into this. I think it is related to the fact I've deployed cert-manager through Argo CD. I'll need to experiment with this more.

thavlik picture thavlik on 22 Mar 2020

I was getting some of these errors as well and when I did a kubectl describe certificate <my-cerificate> it showed an error that it couldn't reach the webhook service in the cert-manager namespace. I didn't deploy cert manager into the cert-manager namespace because usually the namespace is optional when installing services like these. Everything started working after I redeployed it into the cert-manager namespace. We might want to put in the docs that installing into the cert-manager namespace is required.

edalford11 picture edalford11 on 29 Mar 2020

To do a complete purge also had to remove the associated secret

Slayug picture Slayug on 28 Apr 2020

@barth12 How did you know that you had multiple cert-managers? Was it the pods running that told you this?

just1689 picture just1689 on 10 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

timblakely picture timblakely  路  4Comments
jbouzekri picture jbouzekri  路  4Comments
howardjohn picture howardjohn  路  3Comments
gaieges picture gaieges  路  3Comments
munjal-patel picture munjal-patel  路  3Comments