Failing to issue TLS certificate with certificate manager in kubernetes & CloudFlare

2/12/2022

We are trying to move our entire app infrastructure to Kubernetes and the last thing that is left to do is to configure TLS. We are using Kubernetes on DigitalOcean and our DNS is on Cloudflare.

For simplicity, we decided to go with a wild card certificate and followed these docs to accomplish it.

Here is what we have until now.

Issuer

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: cloudflare-ambassador-wcard
#  namespace: ambassador
spec:
  # ACME issuer configuration:
  # `email` - the email address to be associated with the ACME account (make sure it's a valid one).
  # `server` - the URL used to access the ACME servers directory endpoint.
  # `privateKeySecretRef` - Kubernetes Secret to store the automatically generated ACME account private key.
  acme:
    email: alex@priz.guru
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: cloudflare-ambassador-wcard-private
    # List of challenge solvers that will be used to solve ACME challenges for the matching domains.
    solvers:
      - dns01:
          cloudflare:
            email: <my email - same as in Cloudflare>
            apiKeySecretRef:
              name: cloudflare-api-token-secret
              key: api-token
        selector:
          dnsNames:
            - 'app.priz.guru'
            - 'appp.priz.guru'
            - 'api.priz.guru'

Certificate

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: priz-guru-cert
  # Cert-Manager will put the resulting Secret in the same Kubernetes namespace as the Certificate.
  namespace: ambassador
spec:
  # Secret name to create, where the private key and certificate should be stored.
  secretName: priz-guru-cert
  # What Issuer to use for getting the certificate.
  issuerRef:
    name: cloudflare-ambassador-wcard
    kind: ClusterIssuer
    group: cert-manager.io
  # Common name to be used on the Certificate.
  commonName: "*.priz.guru"
  # List of DNS subjectAltNames to be set on the Certificate.
  dnsNames:
    - 'appp.priz.guru'
    - 'api.priz.guru'

Cloudflare API token is configured in secrets.

When I try getting the certificate info, I see that it is not ready (for a very long time):

$ kubectl get certificate priz-guru-cert -n ambassador
NAME             READY   SECRET           AGE
priz-guru-cert   False   priz-guru-cert   12h

and looking at the logs, it seems like the certificate was approved, but it was not issued because there was another attempt within the last hour.

$ kubectl logs -l app=cert-manager,app.kubernetes.io/component=controller -n cert-manager
I0212 20:56:39.469298       1 trigger_controller.go:160] cert-manager/certificates-trigger "msg"="Not re-issuing certificate as an attempt has been made in the last hour" "key"="ambassador/priz-guru-cert" "retry_delay"=3599530749932
I0212 21:56:39.000546       1 trigger_controller.go:181] cert-manager/certificates-trigger "msg"="Certificate must be re-issued" "key"="ambassador/priz-guru-cert" "message"="Issuing certificate as Secret does not exist" "reason"="DoesNotExist"
I0212 21:56:39.000597       1 conditions.go:190] Found status change for Certificate "priz-guru-cert" condition "Issuing": "False" -> "True"; setting lastTransitionTime to 2022-02-12 21:56:39.000591396 +0000 UTC m=+131965.533360318
I0212 21:56:39.569514       1 issuing_controller.go:265] cert-manager/certificates-issuing "msg"="Found a failed CertificateRequest from previous issuance, waiting for it to be deleted..." "key"="ambassador/priz-guru-cert" "resource_kind"="CertificateRequest" "resource_name"="priz-guru-cert-z2cnw" "resource_namespace"="ambassador" "resource_version"="v1"
I0212 21:56:39.578311       1 controller.go:161] cert-manager/certificates-key-manager "msg"="re-queuing item due to optimistic locking on resource" "key"="ambassador/priz-guru-cert" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"priz-guru-cert\": the object has been modified; please apply your changes to the latest version and try again"
I0212 21:56:39.601182       1 conditions.go:261] Setting lastTransitionTime for CertificateRequest "priz-guru-cert-9blj7" condition "Approved" to 2022-02-12 21:56:39.601171113 +0000 UTC m=+131966.133940054
I0212 21:56:39.618109       1 conditions.go:261] Setting lastTransitionTime for CertificateRequest "priz-guru-cert-9blj7" condition "Ready" to 2022-02-12 21:56:39.61810027 +0000 UTC m=+131966.150869178
I0212 21:56:39.635005       1 conditions.go:190] Found status change for Certificate "priz-guru-cert" condition "Issuing": "True" -> "False"; setting lastTransitionTime to 2022-02-12 21:56:39.63499362 +0000 UTC m=+131966.167762571
I0212 21:56:39.647445       1 trigger_controller.go:160] cert-manager/certificates-trigger "msg"="Not re-issuing certificate as an attempt has been made in the last hour" "key"="ambassador/priz-guru-cert" "retry_delay"=3599352583741
I0212 21:56:39.668068       1 trigger_controller.go:160] cert-manager/certificates-trigger "msg"="Not re-issuing certificate as an attempt has been made in the last hour" "key"="ambassador/priz-guru-cert" "retry_delay"=3599331976662

Tried deleting everything and reapplying (after more than an hour). Same result.

How can I see what is the issue here? Are we even configuring it correctly?

UPDATE

Here is the description of the same certificate.

$ kubectl describe certificate priz-guru-cert -n ambassador
Name:         priz-guru-cert
Namespace:    ambassador
Labels:       kustomize.toolkit.fluxcd.io/name=flux-system
              kustomize.toolkit.fluxcd.io/namespace=flux-system
Annotations:  kustomize.toolkit.fluxcd.io/checksum: 8a875fb65b8d2a0d1ca76e552d21dca509e81ab7
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2022-02-12T09:56:21Z
  Generation:          2
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
          f:kustomize.toolkit.fluxcd.io/checksum:
        f:labels:
          .:
          f:kustomize.toolkit.fluxcd.io/name:
          f:kustomize.toolkit.fluxcd.io/namespace:
      f:spec:
        .:
        f:commonName:
        f:dnsNames:
        f:issuerRef:
          .:
          f:group:
          f:kind:
          f:name:
        f:secretName:
    Manager:      kustomize-controller
    Operation:    Update
    Time:         2022-02-12T09:56:21Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
        f:lastFailureTime:
    Manager:         controller
    Operation:       Update
    Time:            2022-02-12T22:56:39Z
  Resource Version:  7912521
  UID:               deedc903-dc40-4e32-a4e8-91765cb33347
Spec:
  Common Name:  *.priz.guru
  Dns Names:
    appp.priz.guru
    api.priz.guru
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       ClusterIssuer
    Name:       cloudflare-ambassador-wcard
  Secret Name:  priz-guru-cert
Status:
  Conditions:
    Last Transition Time:  2022-02-12T09:56:21Z
    Message:               Issuing certificate as Secret does not exist
    Observed Generation:   2
    Reason:                DoesNotExist
    Status:                False
    Type:                  Ready
    Last Transition Time:  2022-02-12T22:56:39Z
    Message:               The certificate request has failed to complete and will be retried: The CSR PEM requests a commonName that is not present in the list of dnsNames or ipAddresses. If a commonName is set, ACME requires that the value is also present in the list of dnsNames or ipAddresses: "*.priz.guru" does not exist in [appp.priz.guru api.priz.guru] or []
    Observed Generation:   2
    Reason:                Failed
    Status:                False
    Type:                  Issuing
  Last Failure Time:       2022-02-12T22:56:39Z
Events:
  Type     Reason     Age                 From          Message
  ----     ------     ----                ----          -------
  Normal   Issuing    46m (x15 over 13h)  cert-manager  Issuing certificate as Secret does not exist
  Warning  Failed     46m (x14 over 13h)  cert-manager  The certificate request has failed to complete and will be retried: The CSR PEM requests a commonName that is not present in the list of dnsNames or ipAddresses. If a commonName is set, ACME requires that the value is also present in the list of dnsNames or ipAddresses: "*.priz.guru" does not exist in [appp.priz.guru api.priz.guru] or []
  Normal   Generated  46m                 cert-manager  Stored new private key in temporary Secret resource "priz-guru-cert-dmp62"
  Normal   Requested  46m                 cert-manager  Created new CertificateRequest resource "priz-guru-cert-gmhfs"

UPDATE - Trying to address "The CSR PEM requests a commonName that is not present in the list of dnsNames or ipAddresses"

Now the certificate config is:

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: priz-guru-cert
  # Cert-Manager will put the resulting Secret in the same Kubernetes namespace as the Certificate.
  namespace: ambassador
spec:
  # Secret name to create, where the private key and certificate should be stored.
  secretName: priz-guru-cert
  # What Issuer to use for getting the certificate.
  issuerRef:
    name: cloudflare-ambassador-wcard
    kind: ClusterIssuer
    group: cert-manager.io
  # Common name to be used on the Certificate.
  #  commonName: "*.priz.guru"
  # List of DNS subjectAltNames to be set on the Certificate.
  dnsNames:
    - '*.priz.guru'

Still not issuing with the following:

$ kubectl describe certificate priz-guru-cert -n ambassador
Name:         priz-guru-cert
Namespace:    ambassador
Labels:       kustomize.toolkit.fluxcd.io/name=flux-system
              kustomize.toolkit.fluxcd.io/namespace=flux-system
Annotations:  kustomize.toolkit.fluxcd.io/checksum: 5208aadd2a6d21e1d6f2f2dfc3f8d29a63990962
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2022-02-12T09:56:21Z
  Generation:          7
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
          f:kustomize.toolkit.fluxcd.io/checksum:
        f:labels:
          .:
          f:kustomize.toolkit.fluxcd.io/name:
          f:kustomize.toolkit.fluxcd.io/namespace:
      f:spec:
        .:
        f:dnsNames:
        f:issuerRef:
          .:
          f:group:
          f:kind:
          f:name:
        f:secretName:
    Manager:      kustomize-controller
    Operation:    Update
    Time:         2022-02-12T23:58:13Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
        f:lastFailureTime:
        f:nextPrivateKeySecretName:
    Manager:         controller
    Operation:       Update
    Time:            2022-02-12T23:59:15Z
  Resource Version:  7933741
  UID:               deedc903-dc40-4e32-a4e8-91765cb33347
Spec:
  Dns Names:
    *.priz.guru
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       ClusterIssuer
    Name:       cloudflare-ambassador-wcard
  Secret Name:  priz-guru-cert
Status:
  Conditions:
    Last Transition Time:        2022-02-12T09:56:21Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         7
    Reason:                      DoesNotExist
    Status:                      False
    Type:                        Ready
    Last Transition Time:        2022-02-12T23:59:14Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         6
    Reason:                      DoesNotExist
    Status:                      True
    Type:                        Issuing
  Last Failure Time:             2022-02-12T23:58:14Z
  Next Private Key Secret Name:  priz-guru-cert-kkjxx
Events:
  Type     Reason     Age                 From          Message
  ----     ------     ----                ----          -------
  Normal   Generated  34m                 cert-manager  Stored new private key in temporary Secret resource "priz-guru-cert-xx4kz"
  Normal   Requested  34m                 cert-manager  Created new CertificateRequest resource "priz-guru-cert-lgcwt"
  Warning  Failed     34m                 cert-manager  The certificate request has failed to complete and will be retried: Failed to wait for order resource "priz-guru-cert-lgcwt-3857888143" to become ready: order is in "errored" state: Failed to create Order: 400 urn:ietf:params:acme:error:malformed: Error creating new order :: Domain name "api.priz.guru" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.
  Normal   Generated  30m                 cert-manager  Stored new private key in temporary Secret resource "priz-guru-cert-q89c8"
  Normal   Requested  30m                 cert-manager  Created new CertificateRequest resource "priz-guru-cert-wgqwf"
  Normal   Requested  22m                 cert-manager  Created new CertificateRequest resource "priz-guru-cert-v4dj4"
  Warning  Failed     22m                 cert-manager  The certificate request has failed to complete and will be retried: Failed to wait for order resource "priz-guru-cert-v4dj4-887490919" to become ready: order is in "errored" state: Failed to create Order: 400 urn:ietf:params:acme:error:malformed: Error creating new order :: Domain name "api.priz.guru" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.
  Normal   Issuing    21m (x18 over 14h)  cert-manager  Issuing certificate as Secret does not exist
  Normal   Generated  21m                 cert-manager  Stored new private key in temporary Secret resource "priz-guru-cert-kkjxx"
  Normal   Requested  21m                 cert-manager  Created new CertificateRequest resource "priz-guru-cert-9w7pr"
  Normal   Requested  3m41s               cert-manager  Created new CertificateRequest resource "priz-guru-cert-2ntk9"
-- Shurik Agulyansky
cloudflare
kubernetes
ssl-certificate

0 Answers