cert-manager: Operation cannot be fulfilled

Hello

Kubernetes version: 1.18.8

I have uninstalled cert-manager 0.15.2 completely and installed 1.0.1 After trying to issue certificate, the cert is not becomes ready, the logs from cert-manager pod print this:

E0917 15:07:19.412626       1 controller.go:158] cert-manager/controller/certificaterequests-issuer-selfsigned "msg"="re-queuing item  due to error processing" "error"="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"domain-co-il-wildcard-clusterissuer-tls-zskjr\": the object has been modified; please apply your changes to the latest version and try again" "key"="cert-manager/domain-co-il-wildcard-clusterissuer-tls-zskjr" 
E0917 15:07:19.611836       1 controller.go:158] cert-manager/controller/certificaterequests-issuer-ca "msg"="re-queuing item  due to error processing" "error"="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"domain-co-il-wildcard-clusterissuer-tls-zskjr\": the object has been modified; please apply your changes to the latest version and try again" "key"="cert-manager/domain-co-il-wildcard-clusterissuer-tls-zskjr" 
E0917 15:07:19.813780       1 controller.go:158] cert-manager/controller/certificaterequests-issuer-venafi "msg"="re-queuing item  due to error processing" "error"="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"domain-co-il-wildcard-clusterissuer-tls-zskjr\": the object has been modified; please apply your changes to the latest version and try again" "key"="cert-manager/domain-co-il-wildcard-clusterissuer-tls-zskjr" 
E0917 15:07:20.021320       1 controller.go:158] cert-manager/controller/certificaterequests-issuer-acme "msg"="re-queuing item  due to error processing" "error"="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"domain-co-il-wildcard-clusterissuer-tls-zskjr\": the object has been modified; please apply your changes to the latest version and try again" "key"="cert-manager/domain-co-il-wildcard-clusterissuer-tls-zskjr"

This is part of the events:

18m         Normal   Issuing             certificate/domain-co-il-wildcard-clusterissuer-tls                Issuing certificate as Secret does not contain a private key
18m         Normal   Generated           certificate/domain-co-il-wildcard-clusterissuer-tls                Stored new private key in temporary Secret resource "domain-co-il-wildcard-clusterissuer-tls-2f72v"
18m         Normal   Requested           certificate/domain-co-il-wildcard-clusterissuer-tls                Created new CertificateRequest resource "domain-co-il-wildcard-clusterissuer-tls-9xtgw"

This is the manifasts:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-wildcard-clusterissuer
  namespace: cert-manager
spec:
  acme:
    email: kfirfer@gmail.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: secret-issuer-account-key-nuc-25
    solvers:
      - dns01:
          cloudDNS:
            project: "xxxx-268209"
            serviceAccountSecretRef:
              name: clouddns-dns01-solver-svc-acct
              key: key.json
        selector:
          dnsNames:
            - 'domain.co.il'
            - '*.domain.co.il'
            - 'domain2.com'
            - '*.domain2.com'

apiVersion: v1
kind: Secret
metadata:
  name: domain-co-il-wildcard-clusterissuer-tls
  namespace: cert-manager
  annotations:
    kubed.appscode.com/sync: ""
type: kubernetes.io/tls
data:
  ca.crt: ''
  tls.crt: ''
  tls.key: ''

---

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: domain-co-il-wildcard-clusterissuer-tls
  namespace: cert-manager
spec:
  commonName: "*.domain.co.il"
  secretName: domain-co-il-wildcard-clusterissuer-tls
  renewBefore: 360h # 15d
  dnsNames:
    - domain.co.il
    - "*.domain.co.il"
  issuerRef:
    name: letsencrypt-wildcard-clusterissuer
    kind: ClusterIssuer

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 4
  • Comments: 22 (6 by maintainers)

Commits related to this issue

Most upvoted comments

Same issue exists in V1.1.0

+12
mazen423 on Jan 7, 2021

v1.1.0 is released now

+3
meyskens on Nov 27, 2020

Reopened

+2
kfirfer on Jan 27, 2021

@kaypeter87 surfacing of rate limit issues is improved in v1.1

+2
meyskens on Oct 29, 2020

It appears my certificate having the issue has successfully been issued. I can safely say that it took 48 hours to issue and it appears to be a rate limiting problem. What worries me is that there were no indication of rate limiting in the debug logs and other new certificates were being issued during this problem. I cannot say, as there are many variables, if let’s encrypt or cert-manager was failing. I do know that a certificate was failing to be issued when there were no indications of rate limiting.

+1
kaypeter87 on Sep 27, 2020

I appear to be seeing the same behavior as @kaypeter87 above, and thought that I had a workaround to offer. Instead, this behavior quickly resurfaced and appears to be intermittent?

Due to the intermittent nature of this problem I am starting to suspect that it stems from rate-limiting, but can’t offer any concrete evidence. letsdebug.net reports no problems with any subdomain + DNS-01, and I’m not sure how else to debug for rate-limiting.

As a side note: does letsdebug.net just always say “OK” no matter what?? I have yet to see it report a problem…

Verbose details can be found below

I have a fresh Kubernetes 1.19.2 cluster with a small-scale application running in the default namespace. I have also installed cert-manager in a namespace with the same name. I’ve configured an ACMEDNS + LetsEncrypt ClusterIssuer that appears to be working in the default namespace for issuing wildcard certs via LetsEncrypt DNS-01.

$ kubectl get cert
NAME               READY   SECRET             AGE
ndslabs-tls-auth   True    ndslabs-tls-auth   27h
ndslabs-tls-open   True    ndslabs-tls-open   27h
ndslabs-tls-root   True    ndslabs-tls-root   27h

In another namespace, I have a similar ingress rule set up that seems to be stuck:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: acmedns-issuer-prod
    kubernetes.io/ingress.class: nginx
    ndslabs.org/updated: 2020-09-27 04:34:10.235391921 +0000 UTC m=+96392.482403672
    nginx.ingress.kubernetes.io/auth-signin: https://www.hub.cheesehub.org/login/
    nginx.ingress.kubernetes.io/auth-url: https://www.hub.cheesehub.org/cauth/auth
  name: s2mvbc-sqlinjection-ingress
  namespace: sigite22
spec:
  rules:
  - host: s2mvbc-sqlinjection.hub.cheesehub.org
    http:
      paths:
      - backend:
          serviceName: s2mvbc-sqlinjection
          servicePort: 8888
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - '*.hub.cheesehub.org'
    secretName: s2mvbc-sqlinjection-tls

The Certificate / CertificateRequest are stuck with an Order that has no events and no Challenge resources are created:

$ kubectl get cert,certificaterequest,order,challenge -n sigite22
I0927 05:32:41.383477   23697 request.go:645] Throttling request took 1.110302164s, request: GET:https://192.168.0.4:6443/apis/autoscaling/v1?timeout=32s
I0927 05:32:51.383573   23697 request.go:645] Throttling request took 3.794775254s, request: GET:https://192.168.0.4:6443/apis/certificates.k8s.io/v1beta1?timeout=32s
I0927 05:33:01.388882   23697 request.go:645] Throttling request took 5.119265571s, request: GET:https://192.168.0.4:6443/apis/coordination.k8s.io/v1beta1?timeout=32s
I0927 05:33:11.389011   23697 request.go:645] Throttling request took 7.795506954s, request: GET:https://192.168.0.4:6443/apis/acme.cert-manager.io/v1alpha3?timeout=32s
NAME                                                  READY   SECRET                    AGE
certificate.cert-manager.io/s2mvbc-sqlinjection-tls   False   s2mvbc-sqlinjection-tls   59m

NAME                                                               READY   AGE
certificaterequest.cert-manager.io/s2mvbc-sqlinjection-tls-7w42b   False   59m

NAME                                                                  STATE   AGE
order.acme.cert-manager.io/s2mvbc-sqlinjection-tls-7w42b-2903943313           59m

No Challenge resource appears to be created, and the Order resource does not appear to have any events associated with it:

$ kubectl describe order -n sigite22
Name:         s2mvbc-sqlinjection-tls-7w42b-2903943313
Namespace:    sigite22
Labels:       <none>
Annotations:  cert-manager.io/certificate-name: s2mvbc-sqlinjection-tls
              cert-manager.io/certificate-revision: 1
              cert-manager.io/private-key-secret-name: s2mvbc-sqlinjection-tls-r2c6m
API Version:  acme.cert-manager.io/v1
Kind:         Order
Metadata:
  Creation Timestamp:  2020-09-27T04:34:10Z
  Generation:          1
  Owner References:
    API Version:           cert-manager.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  CertificateRequest
    Name:                  s2mvbc-sqlinjection-tls-7w42b
    UID:                   87f7af68-f598-4085-9d62-8709bfbb66b4
  Resource Version:        406367
  Self Link:               /apis/acme.cert-manager.io/v1/namespaces/sigite22/orders/s2mvbc-sqlinjection-tls-7w42b-2903943313
  UID:                     6240089a-c5e8-433f-9135-c21bde6af1aa
Spec:
  Dns Names:
    *.hub.cheesehub.org
  Issuer Ref:
    Group:  cert-manager.io
    Kind:   ClusterIssuer
    Name:   acmedns-issuer-prod
  Request:  <REDACTED>
Events:     <none>

As a test, I added the root domain alongside the wildcard in the TLS section and that initially appeared to fix things but the behavior came back:

  tls:
  - hosts:
    - hub.cheesehub.org
    - '*.hub.cheesehub.org'
+1
bodom0015 on Sep 27, 2020
Read more comments on GitHub
← cert-manager: Multi-domain wildcard certificate validation fails when using DNS delegation
cert-manager: Operation cannot be fulfilled on certificates.cert-manager.io the object has been modified →