Certificate status doesn't recover from failed state
We have a lot of failed certs in CI since we switched to ZeroSSL, and I hope this gets better moving to another CA. However, there also seems to be sth wrong with cert-manager. I was investigating the droplet used for !681 (merged), where only the sso cert is still not valid. I wrote a script that summarized cert-manager resources (attached: k8s_debug_cert_manager.sh). The output shows that only the certificate resource it self is failing, although the secret already holds the proper zerossl cert:
❯ ~/bin/k8s_debug_cert_manager.sh
Issuers:
No resources found in default namespace.
ClusterIssuers:
NAME READY AGE
letsencrypt-issuer True 3h48m
zerossl-issuer True 3h48m
Challenges:
No resources found
Orders:
NAMESPACE NAME STATE AGE
stackspin dashboard.1077-possible-loki-mem-leak.ci.stackspin.n-2821898803 valid 3h44m
stackspin alertmanager-tls-952q9-2580165342 valid 3h47m
stackspin single-sign-on-userpanel.tls-9q2rj-4061664042 valid 3h48m
stackspin grafana-tls-w5dbf-1045808427 valid 3h47m
stackspin prometheus-tls-7bc44-2182223537 valid 100m
stackspin hydra-public.tls-hwgz9-4285727226 valid 39m
Certificaterequest:
NAMESPACE NAME APPROVED DENIED READY ISSUER REQUESTOR AGE
stackspin dashboard.1077-possible-loki-mem-leak.ci.stackspin.n-bcr89 True True zerossl-issuer system:serviceaccount:cert-manager:cert-manager 3h44m
stackspin alertmanager-tls-952q9 True True zerossl-issuer system:serviceaccount:cert-manager:cert-manager 3h47m
stackspin single-sign-on-userpanel.tls-9q2rj True True zerossl-issuer system:serviceaccount:cert-manager:cert-manager 3h48m
stackspin grafana-tls-w5dbf True True zerossl-issuer system:serviceaccount:cert-manager:cert-manager 3h47m
stackspin prometheus-tls-7bc44 True True zerossl-issuer system:serviceaccount:cert-manager:cert-manager 100m
stackspin hydra-public.tls-hwgz9 True True zerossl-issuer system:serviceaccount:cert-manager:cert-manager 39m
Certificates:
NAMESPACE NAME READY SECRET AGE
stackspin dashboard.1077-possible-loki-mem-leak.ci.stackspin.net-tls True dashboard.1077-possible-loki-mem-leak.ci.stackspin.net-tls 3h44m
stackspin alertmanager-tls True alertmanager-tls 3h47m
stackspin single-sign-on-userpanel.tls True single-sign-on-userpanel.tls 3h48m
stackspin grafana-tls True grafana-tls 3h47m
stackspin prometheus-tls True prometheus-tls 3h47m
stackspin hydra-public.tls False hydra-public.tls 3h48m
Certificate resource issuers:
dashboard.1077-possible-loki-mem-leak.ci.stackspin.net-tls: zerossl-issuer
alertmanager-tls: zerossl-issuer
single-sign-on-userpanel.tls: zerossl-issuer
grafana-tls: zerossl-issuer
prometheus-tls: zerossl-issuer
hydra-public.tls: zerossl-issuer
Secrets:
NAMESPACE NAME TYPE DATA AGE
kube-system k3s-serving kubernetes.io/tls 2 3h52m
stackspin dashboard.1077-possible-loki-mem-leak.ci.stackspin.net-tls kubernetes.io/tls 2 3h41m
stackspin alertmanager-tls kubernetes.io/tls 2 3h40m
stackspin single-sign-on-userpanel.tls kubernetes.io/tls 2 3h40m
stackspin grafana-tls kubernetes.io/tls 2 3h35m
stackspin prometheus-tls kubernetes.io/tls 2 99m
Certificate secrets and actual issuers:
kube-system/k3s-serving: issuer=CN = k3s-server-ca@1639391072 subject=O = k3s, CN = k3s
stackspin/dashboard.1077-possible-loki-mem-leak.ci.stackspin.net-tls: issuer=C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA subject=CN = dashboard.1077-possible-loki-mem-leak.ci.stackspin.net
stackspin/alertmanager-tls: issuer=C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA subject=CN = alertmanager.1077-possible-loki-mem-leak.ci.stackspin.net
stackspin/single-sign-on-userpanel.tls: issuer=C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA subject=CN = admin.1077-possible-loki-mem-leak.ci.stackspin.net
stackspin/grafana-tls: issuer=C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA subject=CN = grafana.1077-possible-loki-mem-leak.ci.stackspin.net
stackspin/prometheus-tls: issuer=C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA subject=CN = prometheus.1077-possible-loki-mem-leak.ci.stackspin.netI don't know how to trigger another evaluation of the cert resource, since everything else is there.
Activity
changed milestone to %0.8.0
added Certificates label
This is the failed cert:
❯ kc -n stackspin describe certificate hydra-public.tls Name: hydra-public.tls Namespace: stackspin Labels: app.kubernetes.io/instance=single-sign-on app.kubernetes.io/managed-by=Helm app.kubernetes.io/name=hydra app.kubernetes.io/version=v1.10.5 helm.sh/chart=hydra-0.21.0 helm.toolkit.fluxcd.io/name=single-sign-on helm.toolkit.fluxcd.io/namespace=stackspin Annotations: <none> API Version: cert-manager.io/v1 Kind: Certificate Metadata: Creation Timestamp: 2021-12-13T10:28:38Z Generation: 1 Managed Fields: API Version: cert-manager.io/v1 Fields Type: FieldsV1 fieldsV1: f:metadata: f:labels: .: f:app.kubernetes.io/instance: f:app.kubernetes.io/managed-by: f:app.kubernetes.io/name: f:app.kubernetes.io/version: f:helm.sh/chart: f:helm.toolkit.fluxcd.io/name: f:helm.toolkit.fluxcd.io/namespace: f:ownerReferences: .: k:{"uid":"81d5a3a1-0d15-4e39-a785-e37c88ee817c"}: .: f:apiVersion: f:blockOwnerDeletion: f:controller: f:kind: f:name: f:uid: f:spec: .: f:dnsNames: f:issuerRef: .: f:group: f:kind: f:name: f:secretName: f:usages: f:status: .: f:conditions: f:lastFailureTime: Manager: controller Operation: Update Time: 2021-12-13T13:37:41Z Owner References: API Version: networking.k8s.io/v1 Block Owner Deletion: true Controller: true Kind: Ingress Name: single-sign-on-hydra-public UID: 81d5a3a1-0d15-4e39-a785-e37c88ee817c Resource Version: 22224 UID: a09c29ae-5d84-4154-b5b4-981f3afc0460 Spec: Dns Names: sso.1077-possible-loki-mem-leak.ci.stackspin.net Issuer Ref: Group: cert-manager.io Kind: ClusterIssuer Name: zerossl-issuer Secret Name: hydra-public.tls Usages: digital signature key encipherment Status: Conditions: Last Transition Time: 2021-12-13T13:37:41Z Message: The certificate request has failed to complete and will be retried: Failed to wait for order resource "hydra-public.tls-pcgsh-4285727226" to become ready: order is in "errored" state: Failed to finalize Order: 403 urn:ietf:params:acme:error:orderNotReady: The request attempted to finalize an order that is not ready to be finalized Observed Generation: 1 Reason: Failed Status: False Type: Issuing Last Transition Time: 2021-12-13T10:28:38Z Message: Issuing certificate as Secret does not exist Observed Generation: 1 Reason: DoesNotExist Status: False Type: Ready Last Failure Time: 2021-12-13T13:37:41Z Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Generated 3h59m cert-manager Stored new private key in temporary Secret resource "hydra-public.tls-gqb6q" Normal Requested 3h59m cert-manager Created new CertificateRequest resource "hydra-public.tls-s62fw" Normal Generated 176m cert-manager Stored new private key in temporary Secret resource "hydra-public.tls-nl7xc" Warning Failed 176m (x2 over 3h56m) cert-manager The certificate request has failed to complete and will be retried: Failed to wait for order resource "hydra-public.tls-s62fw-4285727226" to become ready: order is in "errored" state: Failed to finalize Order: 403 urn:ietf:params:acme:error:orderNotReady: The request attempted to finalize an order that is not ready to be finalized Normal Requested 176m cert-manager Created new CertificateRequest resource "hydra-public.tls-nwh2z" Normal Generated 116m cert-manager Stored new private key in temporary Secret resource "hydra-public.tls-kh6tt" Normal Requested 116m cert-manager Created new CertificateRequest resource "hydra-public.tls-pcgsh" Normal Issuing 50m (x4 over 3h59m) cert-manager Issuing certificate as Secret does not exist Normal Generated 50m cert-manager Stored new private key in temporary Secret resource "hydra-public.tls-mv2d9" Warning Failed 50m (x2 over 110m) cert-manager The certificate request has failed to complete and will be retried: Failed to wait for order resource "hydra-public.tls-pcgsh-4285727226" to become ready: order is in "errored" state: Failed to finalize Order: 403 urn:ietf:params:acme:error:orderNotReady: The request attempted to finalize an order that is not ready to be finalized Normal Requested 50m cert-manager Created new CertificateRequest resource "hydra-public.tls-hwgz9"mentioned in merge request !689 (merged)
mentioned in commit 265b434a
closed with merge request !689 (merged)
Please register or sign in to reply