Nginx Question posted in
The official documentation can be found here.

what does "Issuing certificate as Secret does not exist" error mean when using cert manager to add ssl to my domain in k8s – Nginx

I tried setting ssl to my domain with cert manager in k8s.

Firstly, I created 2 services and applied the ingress, so that I can access my service with http request.

Then I installed cert-manager with yml file

$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml

After that, I set up the issuer and certificate

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
  namespace: default
spec:
  acme:
    # Staging API
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - selector: {}
      http01:
        ingress:
          class: nginx

---

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: miniapi-staging
  namespace: default
spec:
  secretName: miniapi-staging-certificate
  issuerRef:
    name: letsencrypt-staging
  commonName: xx1.xx.xxx
  dnsNames:
  - xx1.xx.xxx
  - xx2.xx.xxx

I described Certificate, it showed me

Issuing certificate as Secret does not exist

Then I described challenge, it showed me some pending error

Waiting for HTTP-01 challenge propagation: failed to perform self check GET request ‘http://xxx.xxx.xx/.well-known/acme-challenge/AsGBYEbUD8VRYoJsXQQu5b0ntGSS5quq2M7kRx0sFZs’: Get "http://xx.xxx.xx/.well-known/acme-challenge/AsGBYEbUD8VRYoJsXQQu5b0ntGSS5quq2M7kRx0sFZs": EOF

And I checked the url above is valid, it showed me one ong line string(I have modified the real urls).

I tried so many times but it’s the same error, so what am I doing wrong, hope some one could save me from this.

BTW k8s is so hard to learn, how do you guys learn it 🥲

Tags:

2

Answers


  1. 0

    That message means that cert-manager can see that you have requested a Certificate and it doesn’t have one already so it needs to create (issue) one for you.

    As for why the issuance is stuck on the self-check, confirm that retrieving that URL works from inside the cluster, as well as from outside.

    Login or Signup to reply.
  2. 0

    To troubleshoot this error message, I followed the certificate lifecycle flow.

    To sum it up, the resources that we are interested are the certificate, certificaterequest, order and challenge. I used kubectl get and kubectl describe to understand the status of these resources.

    I started deleting resources that were already created, which should be immediately recreated after deletion. Given that the flow is:

    certificate -> certificaterequest -> order -> challenge

    I started deleting and observing the effect from the end of the flow, hence following the opposite flow order: challenge, then order, then certificaterequest and finally the certificate. This didn’t work, but after carefully looking at all the resources again, I noticed that deleting the challenge had failed. And because of that, a second challenge that had been created was not being processed. This happened most likely because the first challenge was manually deleted from the DNS Zone while it was still being processed.

    In order to address this, it is necessary to delete the first challenge. In this GitHub answer you can see how to do that.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search