Cert-manager certificates not found and challenges not created

2/27/2019

I followed https://docs.cert-manager.io/en/venafi/tutorials/quick-start/index.html from start to end and everything seems to be working except that I'm not getting an external ip for my ingress.

NAME                     HOSTS                                  ADDRESS   PORTS     AGE
staging-site-ingress   staging.site.io,staging.admin.site.io,             80, 443   1h

Altough I'm able to use the nginx ingress controller external ip and use dns to access the sites. When I'm going to the urls I'm being redirected to https, so I assume that's working fine.

It redirects to https but still says "not secured", so he don't get a certificate issued.

When I'm debugging I get the following information:

Ingress:

Events:
  Type    Reason             Age                From                      Message
  ----    ------             ----               ----                      -------
  Normal  CreateCertificate  54m                cert-manager              Successfully created Certificate "tls-secret-staging"
  Normal  UPDATE             35m (x3 over 1h)   nginx-ingress-controller  Ingress staging/staging-site-ingress
  Normal  CreateCertificate  23m (x2 over 35m)  cert-manager              Successfully created Certificate "letsencrypt-staging-tls"

Certificate:

Status:
  Conditions:
    Last Transition Time:  2019-02-27T14:02:29Z
    Message:               Certificate does not exist
    Reason:                NotFound
    Status:                False
    Type:                  Ready
Events:
  Type    Reason        Age               From          Message
  ----    ------        ----              ----          -------
  Normal  OrderCreated  3m (x2 over 14m)  cert-manager  Created Order resource "letsencrypt-staging-tls-593754378"

Secret:

Name:         letsencrypt-staging-tls
Namespace:    staging
Labels:       certmanager.k8s.io/certificate-name=staging-site-io
Annotations:  <none>

Type:  kubernetes.io/tls

Data
====
ca.crt:   0 bytes
tls.crt:  0 bytes
tls.key:  1679 bytes

Order:

Status:
  Certificate:   <nil>
  Finalize URL:  
  Reason:        
  State:         
  URL:           
Events:          <none>

So it seems something goes wrong in order and no challenges are created.

Here are my ingress.yaml and issuer.yaml:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: staging-site-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"    
    certmanager.k8s.io/issuer: "letsencrypt-staging"
    certmanager.k8s.io/acme-challenge-type: http01
spec:
  tls:
  - hosts:
    - staging.site.io
    - staging.admin.site.io
    - staging.api.site.io
    secretName: letsencrypt-staging-tls
  rules:
    - host: staging.site.io
      http:
        paths:
          - backend:
              serviceName: frontend-service
              servicePort: 80
            path: /
    - host: staging.admin.site.io
      http:
        paths:
          - backend:
              serviceName: frontend-service
              servicePort: 80
            path: /
    - host: staging.api.site.io
      http:
        paths:
          - backend:
              serviceName: gateway-service
              servicePort: 9000
            path: /
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: letsencrypt-staging
  namespace: staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: hello@site.io
    privateKeySecretRef:
      name: letsencrypt-staging-tls
    http01: {}

Anyone knows what I can do to fix this or what went wrong? Certmanager is installed correctly 100%, I'm just not sure about the ingress and what went wrong in the order.

Thanks in advance!

EDIT: I found this in the nginx-ingress-controller:

W0227 14:51:02.740081       8 controller.go:1078] Error getting SSL certificate "staging/letsencrypt-staging-tls": local SSL certificate staging/letsencrypt-staging-tls was not found. Using default certificate

It's getting spammed & the CPU load is always at 0.003 and the cpu graph is full (the other services are almost nothing)

-- JC97
cert-manager
kubernetes
ssl

1 Answer

3/11/2019

I stumbled over the same issue once, following exactly the same official tutorial. As @mikebridge mentioned, the issue is with Issuer/Secret's namespace mismatch.

For me, the best was to switch from Issuer to ClusterIssuer, which is not scoped to a single namespace.

-- Nepomucen
Source: StackOverflow