cert-manager: message: Certificate does not exist

Describe the bug: cert-manager is up and running, but it does not issue certificates for the domain

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  clusterName: ""
  creationTimestamp: 2019-02-07T16:45:40Z
  generation: 1
  name: custom-crt
  namespace: default
  ...
spec:
  acme:
    config:
    - domains:
      - custom.mydomain.com
      http01:
        ingress: ""
        ingressClass: nginx
  dnsNames:
  - custom.mydomain.com
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-staging
  secretName: custom-crt
status:
  conditions:
  - lastTransitionTime: 2019-02-07T16:45:40Z
    message: Certificate does not exist
    reason: NotFound
    status: "False"
    type: Ready

Webhook certificates looks ok

Expected behaviour: Certificate should be ready and “status: True”

Steps to reproduce the bug: Follow quickstart guide

Anything else we need to know?:

Environment details::

Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.7", GitCommit:"0c38c362511b20a098d7cd855f1314dad92c2780", GitTreeState:"clean", BuildDate:"2018-08-20T10:09:03Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"10+", GitVersion:"v1.10.12-gke.1", GitCommit:"8c6cac7466d8b36ead34f89822e37eb6e4e011c8", GitTreeState:"clean", BuildDate:"2019-01-15T19:48:39Z", GoVersion:"go1.9.3b4", Compiler:"gc", Platform:"linux/amd64"}
  • Cloud-provider/provisioner GKE
  • cert-manager version: (v0.6.0
  • Helm stable

/kind bug

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 16
  • Comments: 26 (2 by maintainers)

Most upvoted comments

Same issue here

Certificate config

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: kanter-online
spec:
  secretName: kanter-online-tls
  issuerRef:
    name: letsencrypt-staging
    Kind: ClusterIssuer
  commonName: kanter.online
  dnsNames:
    - '*.kanter.online'
    - kanter.online
  acme:
    config:
    - dns01:
        provider: prod-digitalocean
      domains:
        - '*.kanter.online'
        - kanter.online

Generated Certificate resource

Status:
  Conditions:
    Last Transition Time:  2019-03-11T21:03:27Z
    Message:               Certificate does not exist
    Reason:                NotFound
    Status:                False
    Type:                  Ready
Events:
  Type    Reason        Age                From          Message
  ----    ------        ----               ----          -------
  Normal  Generated     15m                cert-manager  Generated new private key
  Normal  OrderCreated  15m (x2 over 20m)  cert-manager  Created Order resource "kanter-online-2395761798"

The ca.crt and tls.crt are empty:

Name:         kanter-online
Namespace:    dev
Labels:       certmanager.k8s.io/certificate-name=kanter-online
Annotations:  <none>

Type:  kubernetes.io/tls

Data
====
ca.crt:   0 bytes
tls.crt:  0 bytes
tls.key:  1675 bytes

cert-manager controller logs

I0311 21:08:38.940227       1 sync.go:323] Waiting for all challenges for order "kanter-online-2395761798" to enter 'valid' state
I0311 21:08:38.940250       1 controller.go:189] orders controller: Finished processing work item "dev/kanter-online-2395761798"
I0311 21:08:38.940287       1 controller.go:205] challenges controller: syncing item 'dev/kanter-online-2395761798-0'
I0311 21:08:38.940462       1 logger.go:68] Calling GetChallenge
I0311 21:08:39.175896       1 controller.go:183] orders controller: syncing item 'dev/kanter-online-2395761798'
I0311 21:08:39.176308       1 sync.go:274] Need to create 0 challenges
I0311 21:08:39.176442       1 sync.go:323] Waiting for all challenges for order "kanter-online-2395761798" to enter 'valid' state
I0311 21:08:39.176542       1 controller.go:189] orders controller: Finished processing work item "dev/kanter-online-2395761798"
I0311 21:08:39.177837       1 controller.go:211] challenges controller: Finished processing work item "dev/kanter-online-2395761798-0"
I0311 21:08:39.178036       1 controller.go:205] challenges controller: syncing item 'dev/kanter-online-2395761798-0'
E0311 21:08:39.178292       1 controller.go:207] challenges controller: Re-queuing item "dev/kanter-online-2395761798-0" due to error processing: issuer does not contain DNS01 configuration for provider named "digitalocean"
I0311 21:08:44.056915       1 controller.go:205] challenges controller: syncing item 'dev/kanter-online-2395761798-0'
E0311 21:08:44.057327       1 controller.go:207] challenges controller: Re-queuing item "dev/kanter-online-2395761798-0" due to error processing: issuer does not contain DNS01 configuration for provider named "digitalocean"
I0311 21:08:54.057785       1 controller.go:205] challenges controller: syncing item 'dev/kanter-online-2395761798-0'
E0311 21:08:54.058380       1 controller.go:207] challenges controller: Re-queuing item "dev/kanter-online-2395761798-0" due to error processing: issuer does not contain DNS01 configuration for provider named "digitalocean"
I0311 21:09:14.058781       1 controller.go:205] challenges controller: syncing item 'dev/kanter-online-2395761798-0'
E0311 21:09:14.059256       1 controller.go:207] challenges controller: Re-queuing item "dev/kanter-online-2395761798-0" due to error processing: issuer does not contain DNS01 configuration for provider named "digitalocean"
I0311 21:09:54.059568       1 controller.go:205] challenges controller: syncing item 'dev/kanter-online-2395761798-0'
E0311 21:09:54.060077       1 controller.go:207] challenges controller: Re-queuing item "dev/kanter-online-2395761798-0" due to error processing: issuer does not contain DNS01 configuration for provider named "digitalocean"
I0311 21:11:14.060413       1 controller.go:205] challenges controller: syncing item 'dev/kanter-online-2395761798-0'
E0311 21:11:14.060866       1 controller.go:207] challenges controller: Re-queuing item "dev/kanter-online-2395761798-0" due to error processing: issuer does not contain DNS01 configuration for provider named "digitalocean"
I0311 21:13:48.649436       1 controller.go:205] challenges controller: syncing item 'cert-manager/kanter-online-1139718926-1'
I0311 21:13:48.649640       1 dns.go:89] Presenting DNS01 challenge for domain "kanter.online"
E0311 21:13:48.903888       1 controller.go:207] challenges controller: Re-queuing item "cert-manager/kanter-online-1139718926-1" due to error processing: POST https://api.digitalocean.com/v2/domains/kanter.online/records: 401 Unable to authenticate you.
I0311 21:13:54.061205       1 controller.go:205] challenges controller: syncing item 'dev/kanter-online-2395761798-0'
E0311 21:13:54.061393       1 controller.go:207] challenges controller: Re-queuing item "dev/kanter-online-2395761798-0" due to error processing: issuer does not contain DNS01 configuration for provider named "digitalocean"
  • Kubernetes version: v1.13.3
  • Cloud-provider: Digital Ocean
  • cert-manager version: v0.6.6
  • Install method: Helm
+7
4nte on Mar 11, 2019

Anybody have a fix for this? I have the same issue.

+4
jdschmidt on Mar 20, 2019

I was got the same error. when i checked cert-manager logs use kb logs cert-manager-xxxxxxxxxx-xxxxx, and i got as follow:

I0722 09:37:24.293827       1 controller.go:151] certificates controller: Finished processing work item "jx-production/tls-domain-com"
E0722 09:37:24.820944       1 controller.go:185] orders controller: Re-queuing item "jx-production/tls-domain-com-4103620213" due to error processing: error creating new order: acme: urn:ietf:params:acme:error:rateLimited: Error creating new order :: too many certificates already issued for exact set of domains: video.coinsummer.io: see https://letsencrypt.org/docs/rate-limits/
I0722 09:37:24.820996       1 controller.go:183] orders controller: syncing item 'jx-production/tls-domain-com-4103620213'
I0722 09:37:24.821136       1 logger.go:38] Calling CreateOrder
E0722 09:37:25.673054       1 controller.go:185] orders controller: Re-queuing item "jx-production/tls-domain-com-4103620213" due to error processing: error creating new order: acme: urn:ietf:params:acme:error:rateLimited: Error creating new order :: too many certificates already issued for exact set of domains: video.coinsummer.io: see https://letsencrypt.org/docs/rate-limits/
I0722 09:38:25.175149       1 controller.go:183] orders controller: syncing item 'jx-production/tls-domain-com-4103620213'
I0722 09:38:25.175366       1 logger.go:38] Calling CreateOrder
E0722 09:38:25.985069       1 controller.go:185] orders controller: Re-queuing item "jx-production/tls-domain-com-4103620213" due to error processing: error creating new order: acme: urn:ietf:params:acme:error:rateLimited: Error creating new order :: too many certificates already issued for exact set of domains: video.coinsummer.io: see https://letsencrypt.org/docs/rate-limits/

I was made too many certificates issued, so i resolved it by waiting sometimes and try again.

+2
coinsummerAdmin on Jul 22, 2019

Could you provide the output of kubectl describe clusterissuer,certificate,order,challenge?

As well as logs from cert-manager 😄

/triage support

+2
munnerz on Feb 12, 2019

I encountered about 20 different ways the dns01 certificate could fail kubectl describe clusterissuer,certificate,order,challenge --all-namespaces=true and live reading the cert-manager pod logs helped me fix them.

  • Make sure the secret is in the cert-manager namespace
  • Don’t assume that because the certificate secret exist, the certificate has been made. output to yaml and check the certificate yourself.
  • don’t mix ingress auto creation with manual creation, in the same cert, you’ll have a bad time
  • don’t specify properties of http01 in dns01 challenges, such as renewal duration or time before renewal attempt
+1
FossPrime on Mar 21, 2019
Read more comments on GitHub
← cert-manager: letsencrypt documentation unclear or missing configuration options
cert-manager: missing "caBundle" in ValidatingWebhookConfiguration →