Cert manager unable to update certs

Question

Cert manager unable to update certs

MattCosturos opened this issue a year ago · comments

MattCosturos commented a year ago

We are using the Kubernetes cert manager, version 2.4.2, along with Let's Encrypt.

Our cert expires in the next few days, and cert-manager is unable to update.

These logs are from the cert-manager-webhook pod.

I am seeing this vague error but I am not sure where to go next for further debugging.

2023-03-15T04:43:55-04:00 I0315 08:43:55.000294       1 dynamic_source.go:169] cert-manager/webhook "msg"="Serving certificate requires renewal, regenerating"  
2023-03-15T04:43:55-04:00 I0315 08:43:55.035562       1 dynamic_source.go:267] cert-manager/webhook "msg"="Updated serving TLS certificate"  
2023-03-15T20:43:54-04:00 I0316 00:43:54.473908       1 authority.go:312] cert-manager/webhook "msg"="Root CA certificate is nearing expiry. Regenerating..."  
2023-03-15T20:43:54-04:00 I0316 00:43:54.519234       1 dynamic_source.go:160] cert-manager/webhook "msg"="Detected root CA rotation - regenerating serving certificates"  
2023-03-15T20:43:54-04:00 I0316 00:43:54.551889       1 dynamic_source.go:267] cert-manager/webhook "msg"="Updated serving TLS certificate"  
2023-03-16T06:43:57-04:00 W0316 10:43:57.028777       1 reflector.go:442] external/io_k8s_client_go/tools/cache/reflector.go:167: watch of *v1.Secret ended with: an error on the server ("unable to decode an event from the watch stream: http2: client connection lost") has prevented the request from succeeding
2023-03-20T12:43:54-04:00 I0320 16:43:54.001357       1 dynamic_source.go:169] cert-manager/webhook "msg"="Serving certificate requires renewal, regenerating"  
2023-03-20T12:43:54-04:00 I0320 16:43:54.035635       1 dynamic_source.go:267] cert-manager/webhook "msg"="Updated serving TLS certificate"

Bohdan Tverdyi · Answer 1 · Tue Mar 21 2023 23:48:50 GMT+0800 (China Standard Time)

Hello, this problem is not related to module i think.
But anyway, i am not sure that in this logs any issues exist.

Check also there:

kubectl get CertificateRequest -n NAMESPACE
kubectl get Certificate -n NAMESPACE

In the status you can check, is certificate new or can't request new one.

MattCosturos · Answer 2 · Wed Mar 22 2023 00:05:42 GMT+0800 (China Standard Time)

watch of *v1.Secret ended with: an error on the server ("unable to decode an event from the watch stream: http2: client connection lost") has prevented the request from succeeding

That seems like it is "not good", but I agree with you it doesn't seem to be a problem with the module or the terraform block.

Running those 2 commands.
I see there is a Certificate Request that is 30d old, which is approved and ready.
The Cert is 89 days old.

We used v2.4.2 of the terraform block, which deploys v1.7.1 of the cert manager. we are in the process of updating to 2.5.0 and cert-manager 1.11.0 to see if this will get resolved.

Any other ideas where to look based on this cert / request info below?

kubectl get CertificateRequest -n my-namespace
NAME                      APPROVED   DENIED   READY   ISSUER                REQUESTOR                                         AGE
le-cluster-domain-wr248   True                True    cert-manager-global   system:serviceaccount:cert-manager:cert-manager   30d

kubectl get Certificate -n my-namespace
NAME                READY   SECRET              AGE
le-cluster-domain   True    le-cluster-domain   89d

MattCosturos · Answer 3 · Wed Mar 22 2023 21:35:11 GMT+0800 (China Standard Time)

The cert is 89 days old since that was when I made the namespace. It was being updated correctly.
We are running into an issue with Azure AppGateway. The terraform module, and cert-manager pod are all working correctly.
Sorry to bother you!