SLL certificate expired but should have been auto-renewed: cert-manager

Sherlock_Says · May 25, 2022, 9:07am

Our SLL certificate expired but was not (yet) renewed. It should have been renewed automatically but it didn’t. As a result, one of our production systems is down – can you help?

We are using is cert-manager, certificate manager tool. All other SSL certificates look healthy except one.

+Command to see SSL certificates via kubectl: kubectl get certificates --all-namespaces
Results of that command are like:

NAMESPACE        NAME                               		READY   SECRET                             		AGE
elastic          	kibana-tls                         		True    	kibana-tls                         		154d
prod-company     	company-prod-company-com-tls       	False   	company-prod-company-com-tls       	154d
prod-aaa      	aaa-prod-company-com-tls        	True    	aaa-prod-company-com-tls        	154d
prod-bbb     	bbb-prod-company-com-tls       	True    	bbb-prod-company-com-tls       	154d
prod-ccc      	ccc-prod-company-com-tls        	True    	ccc-prod-company-com-tls        	154d

Then error details can be found from:
kubectl describe certificate -n prod-company company-prod-company-com-tls

In the Events section we can see that cert-manager is trying to renew the certificate periodically, but it is unable.

  Type     Reason   Age                   From          Message
  ----     ------   ----                  ----          -------
  Normal   Issuing  48m (x106 over 4d9h)  cert-manager  Renewing certificate as renewal was scheduled at 2022-04-20 17:35:26 +0000 UTC
  Normal   Reused   48m (x106 over 4d9h)  cert-manager  Reusing private key stored in existing Secret resource “company-prod-company-com-tls"
  Warning  Failed   48m (x106 over 4d9h)  cert-manager  The certificate request has failed to complete and will be retried: Failed to wait for order resource “company-prod-company-com-tls-ksc5v-1897634450" to become ready: order is in "invalid" state:

The final error found in the logs is:

“The certificate request has failed to complete and will be retried: Failed to wait for order resource “company-prod-company-com-tls-ksc5v-1897634450" to become ready: order is in “invalid” state:”

I have technology in place in each of our environments to automatically renew expired SSL certificates. However, that has emerged to be unreliable. When I previously saw this issue, after two days (of downtime) the certificate was eventually automatically renewed and the issue disappeared. I need to fix the underlying issue.

Kubernetes server version: 1.21
Google cloud SDK: 386.0.0

I’d really appreciate help on what could be the root cause and how to fix it?

Sherlock_Says · May 27, 2022, 9:11am

We resolved it.

It was due to a bug in cert-manager. The bug was fixed in Release 1.5 - cert-manager Documentation release.

Once we upgraded the version of cert-manager, the SSL certificate was renewed automatically.

Topic		Replies	Views
Unable to connect to the server: x509: certificate has expired or is not yet valid General Discussions	4	37009	June 28, 2021
Getting `:8888/api/v1/cfssl/info\": x509: certificate has expired or is not yet valid` but certificates are valid a year from now General Discussions	1	232	January 10, 2024
Cert renewal process failing General Discussions	1	936	June 26, 2020
Certbot cannot renew in k8s General Discussions	1	489	August 23, 2023
Auto renew kubelet certificate and check it exparation General Discussions	1	967	May 27, 2021

SLL certificate expired but should have been auto-renewed: cert-manager

Related Topics