Nginx Question posted in
The official documentation can be found here.

Certificate request seems stuck after storing new private key – Nginx

I’ve been trying to roll out our an environment on Kubernetes using LetsEncrypt with CertManager to provision certificates.

However, it seems that the certificate, for whatever reason, can’t be provided.
I’ve been going through the steps over at
https://cert-manager.io/docs/faq/troubleshooting/ but I get stuck on ‘Stored new private key in temporary Secret Resource "xxx"’, and I cannot find any troubleshooting steps to solve this.

The events list from my past few attempts to reset the certificate

My ingress.yaml looks as follows:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: myname-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
  tls:
  - hosts:
    - app.mydomain.io
    secretName: tls-secret
  rules:
  - host: app.mydomain.io
    http:
      paths:
      - backend:
          serviceName: mydomain-identity-v1
          servicePort: 80
        path: /login(/|$)(.*)
      - backend:
          serviceName: mydomain-account-v1
          servicePort: 80
        path: /account(/|$)(.*)

With the following cluster-issuer:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: ***
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx

I have followed the following guide to get everything installed:
https://learn.microsoft.com/en-us/azure/aks/ingress-static-ip#create-a-ca-cluster-issuer

It is working on our development environment just fine, however for this new environment it seems to not want to issue an actual CertificateRequest. The ClusterIssuer resource is showing as ready

Has anyone encountered this before, or know what to do? My searches so far have yielded nothing.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I was using a newer version of cert-manager on this environment than I was on the other one. There must have been some mismatch between my kubernetes version and the version of cert-manager causing the issue. By reverting to the same cert-manager version the problem has resolved itself.


  2. 0

    I have done this implementation successfully in Azure AKS clusters, you can follow this way –

    1. Install cert-manager from here
    2. Then follow these steps from this stackoverflow post

    Make one clusterIssuer or you can make individual issuer too, once you patch the hostname to ingress, then the tls-certificate in that namespace will be autogenerated by Jetstack after the acme-challenge validation

    Kindly make sure to map the IP of loadbalancer nginx/traefik etc to DNS/hostname

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search