K
Q

Question

Certificate request from cert-manager stuck in OpenShift CRC (Code Ready Container)

1/21/2020

In OpenShift CRC (Code Ready Containers) environments, I try to use cert-manager and Let's Encrypt to apply for certificate, but the certificate request gets stuck and ends up with "waiting" status.

My ClusterIssuer looks like:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: barry-letsencrypt
spec:
  acme:
    email: me@abc.com
    http01: {}
    privateKeySecretRef:
      name: barry-letsencrypt-private-key
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: nginx
      selector: {}

After running the above YAML file, ClusterIssuer has been created successfully.

My certificate looks like:

apiVersion: v1
kind: Namespace
metadata:
  name: cert-manager-test
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: example-com
  namespace: cert-manager-test
spec:
  secretName: example-com-tls
  duration: 24h
  renewBefore: 12h
  commonName: example.com
  dnsNames:
  - example.com
  issuerRef:
    name: barry-letsencrypt
    kind: ClusterIssuer
    #kind: Issuer
    group: cert-manager.io

After running the above YAML file I check if my secret object has been created, but tls.cert is 0 bytes.

# oc -n cert-manager-test describe secret example-com-tls
Name:         example-com-tls
Namespace:    cert-manager-test
Labels:       <none>
Annotations:  cert-manager.io/certificate-name: example-com
              cert-manager.io/issuer-kind: ClusterIssuer
              cert-manager.io/issuer-name: barry-letsencrypt

Type:  kubernetes.io/tls

Data
====
ca.crt:   0 bytes
tls.crt:  0 bytes
tls.key:  1679 bytes

Then I check Certificate status, it shows:

# oc -n cert-manager-test describe certificate.cert-manager.io example-com
Name:         example-com
Namespace:    cert-manager-test
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1alpha2
Kind:         Certificate
Metadata:
  Creation Timestamp:  2020-01-21T21:53:43Z
  Generation:          1
  Resource Version:    11111249
  Self Link:           /apis/cert-manager.io/v1alpha2/namespaces/cert-manager-test/certificates/example-com
  UID:                 7e1d5876-3c98-11ea-84cc-52fdfc072182
Spec:
  Common Name:  example.com
  Dns Names:
    example.com
    www.example.com
  Duration:  24h0m0s
  Issuer Ref:
    Group:       cert-manager.io
    Kind:        ClusterIssuer
    Name:        barry-letsencrypt
  Renew Before:  12h0m0s
  Secret Name:   example-com-tls
Status:
  Conditions:
    Last Transition Time:  2020-01-21T21:53:43Z
    Message:               Waiting for CertificateRequest "example-com-3700695519" to complete
    Reason:                InProgress
    Status:                False
    Type:                  Ready
Events:
  Type    Reason        Age    From          Message
  ----    ------        ----   ----          -------
  Normal  GeneratedKey  7m41s  cert-manager  Generated a new private key
  Normal  Requested     7m41s  cert-manager  Created new CertificateRequest resource "example-com-3700695519"

Obviously, Certificate request is stuck.

What is wrong here? Why does the certificate request end up in waiting status? Is it caused by Code Ready Containers (not sure if CRC has route to access outside)?

-- Joe

cert-manager

certificate

kubernetes

openshift

1 Answer

2/1/2020

Waiting for answer :P ......

And mine was found :)

> get all -n cert-manager

NAME                                           READY   STATUS    RESTARTS   AGE
pod/cert-manager-6d5fd89bdf-ck46m              1/1     Running   0          3h22m
pod/cert-manager-cainjector-7d47d59998-vdvjc   1/1     Running   0          3h22m
pod/cert-manager-webhook-6559cc8549-llm8w      1/1     Running   0          3h22m

NAME                           TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
service/cert-manager           ClusterIP   10.0.245.56    <none>        9402/TCP   3h23m
service/cert-manager-webhook   ClusterIP   10.0.159.178   <none>        443/TCP    3h22m

NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/cert-manager              1/1     1            1           3h22m
deployment.apps/cert-manager-cainjector   1/1     1            1           3h22m
deployment.apps/cert-manager-webhook      1/1     1            1           3h22m

NAME                                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/cert-manager-6d5fd89bdf              1         1         1       3h22m
replicaset.apps/cert-manager-cainjector-7d47d59998   1         1         1       3h22m
replicaset.apps/cert-manager-webhook-6559cc8549      1         1         1       3h22m


> kubectl logs -f cert-manager-6d5fd89bdf-ck46m -n cert-manager

I0201 21:48:27.272279       1 controller.go:129] cert-manager/controller/certificates "msg"="syncing item" "key"="kube-system/tls-secret" 
I0201 21:48:27.272351       1 sync.go:57] cert-manager/controller/certificates "msg"="certificate resource not found for key"  "key"="kube-system/tls-secret"
I0201 21:48:27.272492       1 controller.go:135] cert-manager/controller/certificates "msg"="finished processing work item" "key"="kube-system/tls-secret"

-- GEGE

Source: StackOverflow

KQ

Certificate request from cert-manager stuck in OpenShift CRC (Code Ready Container)

Similar Questions

1 Answer

K
Q