cert-manager: v0.7 on GKE stops after temporary cert (no order events or challenges)

Describe the bug: The certificate process seems stuck on temp cert and no challenge or new one is issued from Lets Encrypt.

  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-production
  Secret Name:  tls-legacy-production
Status:
  Conditions:
    Last Transition Time:  2019-03-15T04:38:23Z
    Message:               Certificate issuance in progress. Temporary certificate issued.
    Reason:                TemporaryCertificate
    Status:                False
    Type:                  Ready
Events:
  Type    Reason              Age   From          Message
  ----    ------              ----  ----          -------
  Normal  Generated           13m   cert-manager  Generated new private key
  Normal  GenerateSelfSigned  13m   cert-manager  Generated temporary self signed certificate
  Normal  OrderCreated        13m   cert-manager  Created Order resource "tls-legacy-production-2711062190"

Expected behaviour: Expect challenge to be created and the temporary certificate replaced with the issued one from Lets Encrypt.

Steps to reproduce the bug: https://hub.helm.sh/charts/jetstack/cert-manager

I successfully installed v.0.6.0 on 3 other clusters and followed exact same steps with a 4th and it failed missing certs. Issue described creating temp certificate and the plan for adding in v0.7.0 so I upgraded using helm jetstack/cert-manager. I deleted everything and created the CRDs for 0.7 release, then namespace, label, and install.

After that I created ClusterIssuer with http01 challenge like the others (using same file).

Finally, I created the Ingress and after a few minutes it was successful. The only issue is it’s using the temporary certificate created to get around the GKE issue reported in v0.6.0

Extra info The failing ingress / cluster has multiple domains in hosts where the others usually have a single domain (with multiple hosts). It shouldn’t matter, but just noting in case helpful.

Environment details::

  • Kubernetes version (e.g. v1.10.2): v1.12.5-gke.5
  • Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): GKE
  • cert-manager version (e.g. v0.4.0): v0.7.0
  • Install method (e.g. helm or static manifests): helm

/kind bug

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 4
  • Comments: 34

Most upvoted comments

I’m also experiencing this issue on 0.7. Running on AKS

+4
agolomoodysaada on Mar 15, 2019

I just upgraded from 0.7 to 0.8.1 myself to resolve this issue on AKS. The problem still exists for my current HTTP01 challenge as well.

+2
JeroenAppel on Jun 21, 2019

Also facing the same issue with GKE with cert-manager 0.8.1, GCE Ingress and HTTP01 challenge.

+1
Depado on Jun 21, 2019

After a couple hours then Event log disappears

Status:
  Conditions:
    Last Transition Time:  2019-03-15T04:38:23Z
    Message:               Certificate issuance in progress. Temporary certificate issued.
    Reason:                TemporaryCertificate
    Status:                False
    Type:                  Ready
Events:                    <none>

but still never triggered the lets encrypt challenge or replaced temp cert

+1
mikesparr on Mar 15, 2019
Read more comments on GitHub
← cert-manager: unable to retrieve the complete list of server APIs: webhook.cert-manager.io/v1beta1
cert-manager: Vault Issuer does not retry signing CertificateRequests if the status is pending →