cert-manager: Cannot get certificateRequest after dns change

Hello, I have deployed kube-prometheus-stack with helm, actually the certificate for prometheus and alert-manager is ok but not for grafana. The certificate is stuck at the “Issuing” step, no certificateRequest is created.

Ingress logs

Normal  CreateCertificate  19m (x13 over 23d)  cert-manager  Successfully created Certificate "grafana-general-tls"

Certs logs

Normal  Issuing    20m   cert-manager  Issuing certificate as Secret does not exist

ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    email: xxx@xxx.xx
    preferredChain: ""
    privateKeySecretRef:
      name: letsencrypt-prod
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: nginx

helm values for grafana

grafana:
  ingress:
    enabled: true
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
      certmanager.k8s.io/cluster-issuer: letsencrypt-prod
      kubernetes.io/ingress.class: nginx
      kubernetes.io/tls-acme: "true"
    hosts:
      - grafana.mydomain.com
    tls:
    - hosts:
      - grafana.mydomain.com
      secretName: grafana-general-tls

IngressClass

apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  creationTimestamp: "2021-12-20T16:04:59Z"
  generation: 1
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/version: 1.0.5
    helm.sh/chart: ingress-nginx-4.0.7
  name: nginx
  resourceVersion: "349268769"
  selfLink: /apis/networking.k8s.io/v1/ingressclasses/nginx
spec:
  controller: k8s.io/ingress-nginx

Expected behaviour:

Steps to reproduce the bug: Deploy kube-prometheus-stack with a domain name for grafana, delete it, and redeploy with another domain name.

Environment details::

  • Kubernetes version: v1.19.15-eks-9c63c4
  • Cloud-provider/provisioner: aws
  • cert-manager version: v1.7.0
  • Install method: helm

/kind bug

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 20

Most upvoted comments

Looking at the configs here https://github.com/jetstack/cert-manager/issues/4790#issuecomment-1023307237 I see two MutatingWebhookConfigurations that both seem to apply to cert-manager resources one called gitlab-certmanager-webhook for cert-manager v1.2 and one called cert-manager-webhook for cert-manager v1.7

I guess you have some leftovers from cert-manager v1.2

+1
irbekrm on Jan 27, 2022
Read more comments on GitHub
← cert-manager: Cannot deploy CRDs to Kubernetes 1.11
cert-manager: Cannot install on GKE autopilot cluster due to mutatingwebhookconfigurations access denied →