Search code examples
kubernetescert-manager

No tls.crt on certificate secret


I am creating a ClusterIssuer and a Certificate. However, there is no tls.crt on the secret! What I am doing wrong?

The clusterissuer looks like is running fine, but neither the keys has the crt

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-myapp-clusterissuer
  namespace: cert-manager
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: wildcard-myapp-com
    solvers:
      - dns01:
          cloudDNS:
            serviceAccountSecretRef:
              name: clouddns-service-account
              key: dns-service-account.json
            project: app
        selector:
          dnsNames:
            - '*.myapp.com'
            - myapp.com
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: myapp-com-tls
  namespace: cert-manager
spec:
  secretName: myapp-com-tls
  issuerRef:
    name: letsencrypt-myapp-issuer
    kind: ClusterIssuer
  commonName: '*.myapp.com'
  dnsNames:
    - 'myapp.com'
    - '*.myapp.com'

enter image description here enter image description here


Solution

  • With the information provided it is very hard to troubleshoot this, you could be hitting this bug.

    You can start troubleshooting this kind of issues by following this procedure:

    1. Get the certificate request name:
    kubectl -n <namespace> describe certificate myapp-com-tls
    ...
    Created new CertificateRequest resource "myapp-com-tls-xxxxxxx"
    
    1. The request will generate an order, get the order name with the command:
    kubectl -n <namespace> describe certificaterequests myapp-com-tls-xxxxxxx
    …
    Created Order resource <namespace>/myapp-com-tls-xxxxxxx-xxxxx
    
    1. The order will generate a challenge resource, get that with:
    kubectl -n <namespace> describe order myapp-com-tls-xxxxxxx-xxxxx
    …
    Created Challenge resource "myapp-com-tls-xxxxxxx-xxxxx-xxxxx" for domain "yourdomain.com"
    
    1. Finally, with the challenge name, you can get the status of the validation for you certificate:
    kubectl -n <namespace> describe challenges myapp-com-tls-xxxxxxx-xxxxx-xxxxx
    ...
      Reason:      Successfully authorized domain                                                                                                                                                                      
    ...
      Normal  Started         2m45s  cert-manager  Challenge scheduled for processing
      Normal  Presented       2m45s  cert-manager  Presented challenge using http-01 challenge mechanism
      Normal  DomainVerified  2m22s  cert-manager  Domain "yourdomain.com" verified with "http-01" validation
    

    If the status of the challenge is other than DomainVerified, then something went wrong while requesting the certificate from let's encrypt and will see a reason in the output.