Cert-manager order is in invalid state

11/13/2019

I’m migrating from a GitLab managed Kubernetes cluster to a self managed cluster. In this self managed cluster need to install nginx-ingress and cert-manager. I have already managed to do the same for a cluster used for review environments. I use the latest Helm3 RC to managed this, so I won’t need Tiller.

So far, I ran these commands:

# Add Helm repos locally
helm repo add stable https://kubernetes-charts.storage.googleapis.com
helm repo add jetstack https://charts.jetstack.io

# Create namespaces
kubectl create namespace managed
kubectl create namespace production

# Create cert-manager crds
kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml

# Install Ingress
helm install ingress stable/nginx-ingress --namespace managed --version 0.26.1

# Install cert-manager with a cluster issuer
kubectl apply -f config/production/cluster-issuer.yaml
helm install cert-manager jetstack/cert-manager --namespace managed --version v0.11.0

This is my cluster-issuer.yaml:

# Based on https://docs.cert-manager.io/en/latest/reference/issuers.html#issuers
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: XXX # This is an actual email address in the real resource
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - selector: {}
        http01:
          ingress:
            class: nginx

I installed my own Helm chart named docs. All resources from the Helm chart are installed as expected. Using cURL, I can fetch the page over HTTP. Google Chrome redirects me to an HTTPS page with an invalid certificate though.

The additional following resources have been created:

$ kubectl get secrets                    
NAME                         TYPE                                  DATA   AGE
docs-tls                     kubernetes.io/tls                     3      18m
$ kubectl get certificaterequests.cert-manager.io                           
NAME                 READY   AGE
docs-tls-867256354   False   17m
$ kubectl get certificates.cert-manager.io 
NAME       READY   SECRET     AGE
docs-tls   False   docs-tls   18m
$ kubectl get orders.acme.cert-manager.io        
NAME                            STATE     AGE
docs-tls-867256354-3424941167   invalid   18m

It appears everything is blocked by the cert-manager order in an invalid state. Why could it be invalid? And how do I fix this?

-- Remco Haszing

cert-manager

kubernetes

2 Answers

11/14/2019

It turns out that in addition to a correct DNS A record for @, there were some AAAA records that pointed to an IPv6 address I don’t know. Removing those records and redeploying resolved the issue for me.

-- Remco Haszing

Source: StackOverflow

11/14/2019

You can just refer to this stackoverflow post.

Once you patch the secret to TLS and it gets validated by acme challenge internally, the certificate will get True state

-- Tushar Mahajan

Source: StackOverflow

K
Q

Cert-manager order is in invalid state

Similar Questions

2 Answers

KQ

Cert-manager order is in invalid state

Similar Questions

2 Answers

K
Q