Digital Ocean Kubernetes: Cert-Manager Certificate creation stuck at Created new CertificateRequest resource

2/8/2022

I am following this tutorial to use a trusted TLS certificate in my ingress rules. All works, however

kubectl describe certificate quickstart-example-tls

gives & gets stuck at Created new CertificateRequest resource

....
Status:
  Conditions:
    Last Transition Time:        2022-02-08T10:00:01Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      False
    Type:                        Ready
    Last Transition Time:        2022-02-08T10:00:02Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      True
    Type:                        Issuing
  Next Private Key Secret Name:  quickstart-example-tls-d87r6
Events:
  Type    Reason     Age   From          Message
  ----    ------     ----  ----          -------
  Normal  Issuing    21m   cert-manager  Issuing certificate as Secret does not exist
  Normal  Generated  21m   cert-manager  Stored new private key in temporary Secret resource "quickstart-example-tls-d87r6"
  Normal  Requested  21m   cert-manager  Created new CertificateRequest resource "quickstart-example-tls-kxwqd"

First let me share my ingress rules and Issuers:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: flask-ingress
spec:
  ingressClassName: nginx
  rules:
  - host: www.<Domain>.net
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: flask
            port:
              number: 5000

I set up DNS (in digital ocean) rules so curling (via web) works.

curl "http://www.<Domain>.net"                                                                   
<p>Hello, World!</p>%    

Here my issuer file:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
  namespace: default
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: <MY-EMAIL>
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - http01:
        ingress:
          class: nginx
# kubectl get issuer
NAME                  READY   AGE
letsencrypt-staging   True    26s

Now I update my ingress rule and start the challenge:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: flask-ingress
  annotations:
    cert-manager.io/issuer: letsencrypt-staging
spec:
  tls:
  - hosts:
     - www.<DOMAIN>.net
    secretName: quickstart-example-tls
  ingressClassName: nginx
  rules:
  - host: www.<DOMAIN>.net
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: flask
            port:
              number: 5000
#kubectl get certificate                 
NAME                     READY   SECRET                   AGE
quickstart-example-tls   False   quickstart-example-tls   88s

Here the detailed output:

#kubectl describe certificate quickstart-example-tls
Name:         quickstart-example-tls
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2022-02-08T10:34:40Z
  Generation:          1
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:ownerReferences:
          .:
          k:{"uid":"<UID>"}:
            .:
            f:apiVersion:
            f:blockOwnerDeletion:
            f:controller:
            f:kind:
            f:name:
            f:uid:
      f:spec:
        .:
        f:dnsNames:
        f:issuerRef:
          .:
          f:group:
          f:kind:
          f:name:
        f:secretName:
        f:usages:
      f:status:
        .:
        f:conditions:
        f:nextPrivateKeySecretName:
    Manager:    controller
    Operation:  Update
    Time:       2022-02-08T10:34:41Z
  Owner References:
    API Version:           networking.k8s.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  flask-ingress
    UID:                   <UID>
  Resource Version:        321990
  UID:                     <UID>
Spec:
  Dns Names:
    www.<DOMAIN>.net
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       Issuer
    Name:       letsencrypt-staging
  Secret Name:  quickstart-example-tls
  Usages:
    digital signature
    key encipherment
Status:
  Conditions:
    Last Transition Time:        2022-02-08T10:34:40Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      True
    Type:                        Issuing
    Last Transition Time:        2022-02-08T10:34:40Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      False
    Type:                        Ready
  Next Private Key Secret Name:  quickstart-example-tls-w4psf
Events:
  Type    Reason     Age    From          Message
  ----    ------     ----   ----          -------
  Normal  Issuing    2m14s  cert-manager  Issuing certificate as Secret does not exist
  Normal  Generated  2m13s  cert-manager  Stored new private key in temporary Secret resource "quickstart-example-tls-w4psf"
  Normal  Requested  2m13s  cert-manager  Created new CertificateRequest resource "quickstart-example-tls-znhlv"

So this is were things get stucked and IDK why.

# kubectl describe certificaterequest quickstart-example-tls
Name:         quickstart-example-tls-znhlv
Namespace:    default
Labels:       <none>
Annotations:  cert-manager.io/certificate-name: quickstart-example-tls
              cert-manager.io/certificate-revision: 1
              cert-manager.io/private-key-secret-name: quickstart-example-tls-w4psf
API Version:  cert-manager.io/v1
Kind:         CertificateRequest
Metadata:
  Creation Timestamp:  2022-02-08T10:34:41Z
  Generate Name:       quickstart-example-tls-
  Generation:          1
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:cert-manager.io/certificate-name:
          f:cert-manager.io/certificate-revision:
          f:cert-manager.io/private-key-secret-name:
        f:generateName:
        f:ownerReferences:
          .:
          k:{"uid":"<UID>"}:
            .:
            f:apiVersion:
            f:blockOwnerDeletion:
            f:controller:
            f:kind:
            f:name:
            f:uid:
      f:spec:
        .:
        f:issuerRef:
          .:
          f:group:
          f:kind:
          f:name:
        f:request:
        f:usages:
      f:status:
        .:
        f:conditions:
    Manager:    controller
    Operation:  Update
    Time:       2022-02-08T10:34:41Z
  Owner References:
    API Version:           cert-manager.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Certificate
    Name:                  quickstart-example-tls
    UID:                   <UID>
  Resource Version:        322003
  UID:                     <UID>
Spec:
  Extra:
    authentication.kubernetes.io/pod-name:
      cert-manager-6d8d028374dbb-f43n7
    authentication.kubernetes.io/pod-uid:
      <UID>
  Groups:
    system:serviceaccounts
    system:serviceaccounts:cert-manager
    system:authenticated
  Issuer Ref:
    Group:  cert-manager.io
    Kind:   Issuer
    Name:   letsencrypt-staging
  Request:  <Request ID>
  UID:      <UID>
  Usages:
    digital signature
    key encipherment
  Username:  system:serviceaccount:cert-manager:cert-manager
Status:
  Conditions:
    Last Transition Time:  2022-02-08T10:34:41Z
    Message:               Certificate request has been approved by cert-manager.io
    Reason:                cert-manager.io
    Status:                True
    Type:                  Approved
    Last Transition Time:  2022-02-08T10:34:43Z
    Message:               Waiting on certificate issuance from order default/quickstart-example-tls-znhlv-138543614: "pending"
    Reason:                Pending
    Status:                False
    Type:                  Ready
Events:
  Type    Reason           Age    From          Message
  ----    ------           ----   ----          -------
  Normal  cert-manager.io  4m54s  cert-manager  Certificate request has been approved by cert-manager.io
  Normal  OrderCreated     4m53s  cert-manager  Created Order resource default/quickstart-example-tls-znhlv-138543614

Having a look at the challenge, all seems to work.

# kubectl describe challenges --all-namespaces
Name:         quickstart-example-tls-znhlv-138543614-1891152753
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  acme.cert-manager.io/v1
Kind:         Challenge
Metadata:
  Creation Timestamp:  2022-02-08T10:34:44Z
  Finalizers:
    finalizer.acme.cert-manager.io
  Generation:  1
  Managed Fields:
    API Version:  acme.cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:finalizers:
          .:
          v:"finalizer.acme.cert-manager.io":
        f:ownerReferences:
          .:
          k:{"uid":"<UID>"}:
            .:
            f:apiVersion:
            f:blockOwnerDeletion:
            f:controller:
            f:kind:
            f:name:
            f:uid:
      f:spec:
        .:
        f:authorizationURL:
        f:dnsName:
        f:issuerRef:
          .:
          f:group:
          f:kind:
          f:name:
        f:key:
        f:solver:
          .:
          f:http01:
            .:
            f:ingress:
              .:
              f:class:
        f:token:
        f:type:
        f:url:
        f:wildcard:
      f:status:
        .:
        f:presented:
        f:processing:
        f:reason:
        f:state:
    Manager:    controller
    Operation:  Update
    Time:       2022-02-08T10:34:46Z
  Owner References:
    API Version:           acme.cert-manager.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Order
    Name:                  quickstart-example-tls-znhlv-138543614
    UID:                   <UID>
  Resource Version:        322038
  UID:                     <UID>
Spec:
  Authorization URL:  https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/<NR>
  Dns Name:           www.<DOMAIN>.net
  Issuer Ref:
    Group:  cert-manager.io
    Kind:   Issuer
    Name:   letsencrypt-staging
  Key:      <SOMEKEY>
  Solver:
    http01:
      Ingress:
        Class:  nginx
  Token:        <SOMEToken>
  Type:         HTTP-01
  URL:          https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/<NR>/<CODE>
  Wildcard:     false
Status:
  Presented:   true
  Processing:  true
  Reason:      Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://www.<DOMAIN>.net/.well-known/acme-challenge/<SOMEToken>': Get "http://www.<DOMAIN>.net/.well-known/acme-challenge/<SOMEToken>": EOF
  State:       pending
Events:
  Type    Reason     Age    From          Message
  ----    ------     ----   ----          -------
  Normal  Started    6m18s  cert-manager  Challenge scheduled for processing
  Normal  Presented  6m17s  cert-manager  Presented challenge using HTTP-01 challenge mechanism
#curl "http://www.<DOMAIN>.net/.well-known/acme-challenge/<SOMEToken>"
<SOMEKEY>%  

All seems to be fine, but I do not get the certificate?

A couple of additional things:

  • I use digital ocean managed kubernetes 1.21
  • I installed ingress-nginx via UI in digital ocean to namespace ingress-nginx
  • I use cert-manager 1.7
#kubectl get pods -n cert-manager
NAME                                     READY   STATUS    RESTARTS   AGE
cert-manager-6d8d6b5dbb-f4xn7            1/1     Running   0          47h
cert-manager-cainjector-d6cbc4d9-g6j8c   1/1     Running   0          47h
cert-manager-webhook-85fb68c79b-sv8pb    1/1     Running   0          47h

Looking add the logs from cert-manager, I get that get request failed although it works actually.

# kubectl logs cert-manager-6d8d6b5dbb-f4xn7 -n cert-manager 
E0208 15:07:31.660877       1 sync.go:186] cert-manager/challenges "msg"="propagation check failed" "error"="failed to perform self check GET request 'http://www.<DOMAIN>.net/.well-known/acme-challenge/<SOMEToken>': Get \"http://www.<DOMAIN>.net/.well-known/acme-challenge/<SOMEToken>\": EOF" "dnsName"="www.<DOMAIN>.net" "resource_kind"="Challenge" "resource_name"="quickstart-example-tls-znhlv-138543614-1891152753" "resource_namespace"="default" "resource_version"="v1" "type"="HTTP-01" 
-- Henrik
digital-ocean
kubernetes
nginx-ingress
tls1.2

1 Answer

2/8/2022

@Rychu linked me to the answer here. This goes also back to this post step 5

For my case I did

Added a DNS entry on digital ocean for "workaround.<"DOMAIN">.net" to point to my load balancer and then I updated my ingress_controller:

cat ingress_nginx_svc.yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
    service.beta.kubernetes.io/do-loadbalancer-hostname: "workaround.<DOMAIN>.net"
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/version: 1.0.4
    helm.sh/chart: ingress-nginx-4.0.6
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  externalTrafficPolicy: Cluster
  ports:
  - appProtocol: http
    name: http
    nodePort: 31799
    port: 80
    protocol: TCP
    targetPort: http
  - appProtocol: https
    name: https
    nodePort: 32533
    port: 443
    protocol: TCP
    targetPort: https
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  type: LoadBalancer
kubectl apply -f ingress_nginx_svc.yaml

Then you should see something like this

# kubectl describe certificate  
  Type    Reason     Age                  From          Message
  ----    ------     ----                 ----          -------
  Normal  Issuing    15m                  cert-manager  Issuing certificate as Secret does not exist
  Normal  Generated  15m                  cert-manager  Stored new private key in temporary Secret resource "quickstart-example-tls-zj57f"
  Normal  Requested  15m                  cert-manager  Created new CertificateRequest resource "quickstart-example-tls-gc599"
  Normal  Issuing    8m3s                 cert-manager  Issuing certificate as Secret was previously issued by Issuer.cert-manager.io/letsencrypt-staging
  Normal  Reused     8m2s                 cert-manager  Reusing private key stored in existing Secret resource "quickstart-example-tls"
  Normal  Requested  8m2s                 cert-manager  Created new CertificateRequest resource "quickstart-example-tls-55xcw"
  Normal  Issuing    7m33s (x2 over 11m)  cert-manager  The certificate has been successfully issued

That solved my problem! Thanks again @Rychu for pointing me to that

-- Henrik
Source: StackOverflow