cert-manager: Operation cannot be fulfilled on certificates.cert-manager.io the object has been modified

Hello,

I’m trying to issue certificate from a k8s Ingress, the cert is not becomes ready, the logs from cert-manager pod print this:

E1208 16:01:50.827738       1 controller.go:158] cert-manager/controller/CertificateReadiness "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com-test-tls\": the object has been modified; please apply your changes to the latest version and try again" "key"="example/example-com-test-tls" 
E1208 16:01:50.872116       1 controller.go:158] cert-manager/controller/CertificateKeyManager "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com-test-tls\": the object has been modified; please apply your changes to the latest version and try again" "key"="example/example-com-test-tls"

Here is the ingress part of my value.yaml :

ingress:
  enabled: true
  labels:
    traffic: "external"
    use-dns01-solver: "true"
  annotations: |
    kubernetes.io/ingress.class: haproxy
    cert-manager.io/cluster-issuer: letsencrypt-prod
    ingress.kubernetes.io/whitelist-source-range: "0.0.0.0"
    kubernetes.io/ingress.allow-http: "false"
    ingress.kubernetes.io/ssl-passthrough: "true"
  hosts:
    - host: example-test.hubstairs.com
      paths:
        - /
      serviceName: myapp
      servicePort: 3031

  tls:
    - secretName: example-com-test-tls
      hosts:
        - 'example-test.hubstairs.com'

The certificate has been successfully issue without error :

Events:
  Type    Reason     Age                  From          Message
  ----    ------     ----                 ----          -------
  Normal  Issuing    32s                  cert-manager  Issuing certificate as Secret does not exist
  Normal  Generated  32s                  cert-manager  Stored new private key in temporary Secret resource "example-com-test-tls-6bt7d"
  Normal  Requested  32s                  cert-manager  Created new CertificateRequest resource "example-com-test-tls-xk85p"
  Normal  Issuing    12s                  cert-manager  The certificate has been successfully issued

When I try to access to url in a browser, I have an SSL error.

Environment details::

Kubernetes version: 1.17
Cloud-provider/provisioner: Google cloud
cert-manager version: 1.1.0
Install method: helm upgrade --install jetstack/cert-manager --version 1.1.0 -f value.yaml --debug

/kind bug

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 81
Comments: 40 (4 by maintainers)

Most upvoted comments

Okay, my bad, I have messed up the annotation: cert-manager.io/issuer: letsencrypt-stage -> cert-manager.io/cluster-issuer: letsencrypt-stage

Everything seems to work now, sorry for the needless spam.

+18

adaliszk on Apr 24, 2021

As @irbekrm detailed, the message:

E0419 controller.go:158] msg="re-queuing item due to error processing" error="Operation
cannot be fulfilled on cert-tls: the object has been modified; please apply your changes
to the latest version and try again"

is benign 99.9% of the time. This message does not actually relate to the issue you may observe; Unfortunately, the message is unclear and people may think it is a symptom of their issue.

In 1.4, we changed the message a bit to clarify that. The level was changed from “error” to “info” and the message was reworded:

I0419 controller.go:158] msg="re-queuing item due to optimistic locking on resource"
error="Operation cannot be fulfilled on cert-tls: the object has been modified; please
apply your changes to the latest version and try again"

It seems like the message still looks like something “failed”. I will look into ways of making this logline more understandable; either moving it to -v=4 (since this message is useful while developing to discover when two controllers are fighting on the same resource).

⚠ To anyone reading this thread: please open a new issue with the detailed logs that led to your issue, and keep in mind that the above message is very most likely not the culprit.

+10

maelvls on Jul 26, 2021

Same here, I had a failed CM installation, which had to be reinstalled. After that, some of the certificates had the the object has been modified; please apply your changes to the latest version and try again error.

Just a quick workaround solution I used:

Delete related TLS Secret
Delete related CertiificateRequest
Delete related Certificate
restart the cert-manager pod

Some of it might not be necessary, but with letsencrypt it’s a non-destructive removal as everything will be recreated. Hope it helps.

rgembalik on Feb 15, 2021

@meyskens

I did an upgrade to the latest cert-manager and all seems to be working, it’s just that we notice this error with every (each and everyone) certificate request and renewal.

How should I look at this error? If cert-manager will work around these itself, should I consider it very verbose info output that causes some panic on my end or is this because of a bug or misconfiguration that is triggered?

If it’s just very verbose info output about an issue that cert-manager will work around itself I’d love to be able to suppress it as it causes panic without reason. If it’s not just extremely verbose info I’d love to have a fix so it doesn’t appear anymore in my logs.

Edit: Forgot to ask my question: Can i fix the appearance of this “error” with configuration or is it something that should be fixed in the project itself?

fliphess on Dec 21, 2020

@fliphess cert-manager will work around these itself

meyskens on Dec 17, 2020

Somehow my clusterissuers got deleted. Restoring them fixed this for me.

ammurdoch on Feb 19, 2021

Hi folks,

“error”=“Operation cannot be fulfilled on certificates.cert-manager.io “”: the object has been modified; please apply your changes to the latest version and try again”

This line in logs does not indicate an issue in itself, see the discussion around #3794 . The wording was changed slightly as it seemed to be misleading when folks are debugging other issues.

There could be other issues why the certs are not getting renewed- it might make sense to open another issue with some more detail (the Certificate, CertificateRequest and some more logs from cert-manager pod (you can increase the verbosity level with --v=5 on controller)). After briefly looking at the issues reported above, I think they likely have different causes.

irbekrm on Jul 21, 2021

Using K8s 1.18 on AWS, cert-manager 1.4.0, clusterIssuer: letsencrypt-prod. ( Deleted old cert-manager. Installed 1.4.0 and reconf’d clusterIssuer.)

I deleted the cert which seemed to be causing the issue, and it re-issued, but the cert-manager pod is still kicking the error in logs.

jmichaelthurman on Jul 19, 2021

I’m stuck at this problem.

In my case, every deployment is a completely fresh environment, but no matter what I try, I get the “the object has been modified; please apply your changes to the latest version and try again” line.

E0424 16:14:35.763536       1 keymanager_controller.go:137] cert-manager/controller/CertificateKeyManager "msg"="certificate not found for key" "error"="certificate.cert-manager.io \"letsencrypt-charts-adaliszk-io\" not found" "key"="charts/letsencrypt-charts-adaliszk-io"
E0424 16:14:35.763618       1 trigger_controller.go:142] cert-manager/controller/CertificateTrigger "msg"="certificate not found for key" "error"="certificate.cert-manager.io \"letsencrypt-charts-adaliszk-io\" not found" "key"="charts/letsencrypt-charts-adaliszk-io"
E0424 16:14:35.763619       1 readiness_controller.go:130] cert-manager/controller/CertificateReadiness "msg"="certificate not found for key" "error"="certificate.cert-manager.io \"letsencrypt-charts-adaliszk-io\" not found" "key"="charts/letsencrypt-charts-adaliszk-io"
E0424 16:14:35.763698       1 requestmanager_controller.go:127] cert-manager/controller/CertificateRequestManager "msg"="certificate not found for key" "error"="certificate.cert-manager.io \"letsencrypt-charts-adaliszk-io\" not found" "key"="charts/letsencrypt-charts-adaliszk-io"
E0424 16:14:35.763731       1 issuing_controller.go:152] cert-manager/controller/CertificateIssuing "msg"="certificate not found for key" "error"="certificate.cert-manager.io \"letsencrypt-charts-adaliszk-io\" not found" "key"="charts/letsencrypt-charts-adaliszk-io"
E0424 16:14:35.774043       1 controller.go:184] cert-manager/controller/certificaterequests-issuer-acme "msg"="certificate request in work queue no longer exists" "error"="certificaterequest.cert-manager.io \"letsencrypt-charts-adaliszk-io-qqq2t\" not found"
E0424 16:14:35.774060       1 controller.go:184] cert-manager/controller/certificaterequests-issuer-ca "msg"="certificate request in work queue no longer exists" "error"="certificaterequest.cert-manager.io \"letsencrypt-charts-adaliszk-io-qqq2t\" not found"
E0424 16:14:35.774089       1 controller.go:184] cert-manager/controller/certificaterequests-issuer-vault "msg"="certificate request in work queue no longer exists" "error"="certificaterequest.cert-manager.io \"letsencrypt-charts-adaliszk-io-qqq2t\" not found"
E0424 16:14:35.774106       1 controller.go:184] cert-manager/controller/certificaterequests-issuer-venafi "msg"="certificate request in work queue no longer exists" "error"="certificaterequest.cert-manager.io \"letsencrypt-charts-adaliszk-io-qqq2t\" not found"
E0424 16:14:35.774118       1 controller.go:184] cert-manager/controller/certificaterequests-issuer-selfsigned "msg"="certificate request in work queue no longer exists" "error"="certificaterequest.cert-manager.io \"letsencrypt-charts-adaliszk-io-qqq2t\" not found"
I0424 16:15:19.854639       1 conditions.go:173] Setting lastTransitionTime for Certificate "letsencrypt-charts-adaliszk-io" condition "Issuing" to 2021-04-24 16:15:19.854625907 +0000 UTC m=+699.788806858
I0424 16:15:19.855099       1 conditions.go:173] Setting lastTransitionTime for Certificate "letsencrypt-charts-adaliszk-io" condition "Ready" to 2021-04-24 16:15:19.855094226 +0000 UTC m=+699.789275218
E0424 16:15:19.886489       1 controller.go:158] cert-manager/controller/CertificateReadiness "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"letsencrypt-charts-adaliszk-io\": the object has been modified; please apply your changes to the latest version and try again" "key"="charts/letsencrypt-charts-adaliszk-io"
I0424 16:15:19.908270       1 conditions.go:173] Setting lastTransitionTime for Certificate "letsencrypt-charts-adaliszk-io" condition "Ready" to 2021-04-24 16:15:19.908024418 +0000 UTC m=+699.842205469
E0424 16:15:20.131598       1 controller.go:158] cert-manager/controller/CertificateKeyManager "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"letsencrypt-charts-adaliszk-io\": the object has been modified; please apply your changes to the latest version and try again" "key"="charts/letsencrypt-charts-adaliszk-io"
I0424 16:15:20.150209       1 conditions.go:233] Setting lastTransitionTime for CertificateRequest "letsencrypt-charts-adaliszk-io-h6pm4" condition "Ready" to 2021-04-24 16:15:20.150204336 +0000 UTC m=+700.084385287
I0424 16:15:20.150505       1 conditions.go:233] Setting lastTransitionTime for CertificateRequest "letsencrypt-charts-adaliszk-io-h6pm4" condition "Ready" to 2021-04-24 16:15:20.150482203 +0000 UTC m=+700.084663154
I0424 16:15:20.150204       1 conditions.go:233] Setting lastTransitionTime for CertificateRequest "letsencrypt-charts-adaliszk-io-h6pm4" condition "Ready" to 2021-04-24 16:15:20.150194426 +0000 UTC m=+700.084375377
I0424 16:15:20.150254       1 conditions.go:233] Setting lastTransitionTime for CertificateRequest "letsencrypt-charts-adaliszk-io-h6pm4" condition "Ready" to 2021-04-24 16:15:20.150249311 +0000 UTC m=+700.084430252
I0424 16:15:20.150674       1 conditions.go:233] Setting lastTransitionTime for CertificateRequest "letsencrypt-charts-adaliszk-io-h6pm4" condition "Ready" to 2021-04-24 16:15:20.150667476 +0000 UTC m=+700.084848427
E0424 16:15:20.278502       1 controller.go:158] cert-manager/controller/certificaterequests-issuer-acme "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"letsencrypt-charts-adaliszk-io-h6pm4\": the object has been modified; please apply your changes to the latest version and try again" "key"="charts/letsencrypt-charts-adaliszk-io-h6pm4"
E0424 16:15:20.281010       1 controller.go:158] cert-manager/controller/certificaterequests-issuer-vault "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"letsencrypt-charts-adaliszk-io-h6pm4\": the object has been modified; please apply your changes to the latest version and try again" "key"="charts/letsencrypt-charts-adaliszk-io-h6pm4"
E0424 16:15:20.283875       1 controller.go:158] cert-manager/controller/certificaterequests-issuer-ca "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"letsencrypt-charts-adaliszk-io-h6pm4\": the object has been modified; please apply your changes to the latest version and try again" "key"="charts/letsencrypt-charts-adaliszk-io-h6pm4"
E0424 16:15:20.285355       1 controller.go:158] cert-manager/controller/certificaterequests-issuer-venafi "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"letsencrypt-charts-adaliszk-io-h6pm4\": the object has been modified; please apply your changes to the latest version and try again" "key"="charts/letsencrypt-charts-adaliszk-io-h6pm4"

Tried:

k8s v1.18.17 + cert-manager v1.3.1
k8s v1.20.5 + cert-manager v1.3.1
k8s v1.20.5 + cert-manager v1.3.0
k8s v1.20.5 + cert-manager v1.2.0
k8s v1.20.5 + cert-manager v1.1.1

Install method: via Rancher 2.5.7 using jetstack/cert-manager Helm3 catalogue from https://charts.jetstack.io

Issuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-stage
  namespace: cert-manager
spec:
  acme:
    email: "letsencrypt@adaliszk.dev"
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-stage-adaliszk-key
    solvers:
    - selector: {}
      http01:
        ingress:
          class: nginx

Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/issuer: letsencrypt-stage   
    kubernetes.io/ingress.class: nginx
  name: chart.adaliszk.io
  namespace: charts
spec:
  rules:
  - host: charts.adaliszk.io
    http:
      paths:
      - backend:
          service:
            name: chartmuseum
            port:
              number: 8080
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - charts.adaliszk.io
    secretName: letsencrypt-charts-adaliszk-io

adaliszk on Apr 24, 2021

Had same problem, using cert-manager v1.0.0 on google gke. 1 certificate was expired, removed the Certificate , and recreated it. manager fetched a new certificate after this action and service was restored.

@meyskens : for my understanding, this is still a open issue which will be fixed or is it already fixed on 1.x version ?

lucwillems on Apr 19, 2021

@meyskens I going to update the HAProxy controller through the latest version. I’ll keep you informed if the problem goes away.

hubstairs-admin on Dec 17, 2020

I see the same errors in the log but everything works fine. You seem to have omitten the non error lines, which show that it eventually worked.

Are sure the ClusterIssuer “letsencrypt-prod” is actually what the name implies?
Did you check the certificatte, are the contents as expected?
Could you resolve your issue or find more hints on what the issue is?

I would guess that this error log lines are not related to your actual problem. I opened a separate issue because I am not sure if we are dealing with the same problem. https://github.com/jetstack/cert-manager/issues/3516

alex-guenther on Dec 16, 2020