Cert-Manager dns01 challenge order pending

4.5k views Asked by At

Followed steps mentioned at https://cert-manager.io/docs/installation/kubernetes/

# Kubernetes 1.16+
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.3/cert-manager.yaml


$ kubectl -n cert-manager get pods
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-958cb7d4d-m62xm               1/1     Running   0          137m
cert-manager-cainjector-8495f7f6c9-56ck6   1/1     Running   0          137m
cert-manager-webhook-5dcdfbd9d4-6mw74      1/1     Running   0          137m

ClusterIssuer

% kubectl -n cert-manager describe ClusterIssuer letsencrypt
Name:         letsencrypt
Namespace:
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"cert-manager.io/v1alpha2","kind":"ClusterIssuer","metadata":{"annotations":{},"name":"letsencrypt"},"spec":{"acme":{"email"...
API Version:  cert-manager.io/v1
Kind:         ClusterIssuer
Metadata:
  Creation Timestamp:  2020-10-21T17:31:16Z
  Generation:          1
  Resource Version:    120254050
  Self Link:           /apis/cert-manager.io/v1/clusterissuers/letsencrypt
  UID:                 fe54ce07-61be-446f-9db1-4745b742ac71
Spec:
  Acme:
    Email:            [email protected]
    Preferred Chain:
    Private Key Secret Ref:
      Name:  letsencrypt-test-key
    Server:  https://acme-v02.api.letsencrypt.org/directory
    Solvers:
      dns01:
        route53:
          Access Key ID:   ####
          Hosted Zone ID:  ####
          Region:          us-west-2
          Secret Access Key Secret Ref:
            Key:   secret_key
            Name:  aws-secret
      Selector:
        Dns Zones:
          example.com
Status:
  Acme:
    Last Registered Email:  [email protected]
    Uri:                    https://acme-v02.api.letsencrypt.org/acme/acct/98054390
  Conditions:
    Last Transition Time:  2020-10-21T17:31:16Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

Certificate

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: test-cert
  namespace: cert-manager
spec:
  commonName: '*.test.example.com'
  secretName: test-cert
  dnsNames:
    - '*.test.example.com'
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer


$ kubectl -n cert-manager get certificate
NAME        READY   SECRET      AGE
test-cert   False   test-cert   65m


$ kubectl -n cert-manager describe certificate test-cert
Name:         test-cert
Namespace:    cert-manager
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"cert-manager.io/v1alpha2","kind":"Certificate","metadata":{"annotations":{},"name":"test-cert","namespace":"cert-manager"},...
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2020-10-21T17:31:23Z
  Generation:          1
  Resource Version:    120254080
  Self Link:           /apis/cert-manager.io/v1/namespaces/cert-manager/certificates/test-cert
  UID:                 82148eee-5f4b-47d7-a09a-407e4d041101
Spec:
  Common Name:  *.test.example.com
  Dns Names:
    *.test.example.com
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt
  Secret Name:  test-cert
Status:
  Conditions:
    Last Transition Time:        2020-10-21T17:31:23Z
    Message:                     Issuing certificate as Secret does not exist
    Reason:                      DoesNotExist
    Status:                      False
    Type:                        Ready
    Last Transition Time:        2020-10-21T17:31:23Z
    Message:                     Issuing certificate as Secret does not exist
    Reason:                      DoesNotExist
    Status:                      True
    Type:                        Issuing
  Next Private Key Secret Name:  test-cert-gqhmj

CertificateRequest

  $ kubectl -n cert-manager get CertificateRequest
  NAME              READY   AGE
  test-cert-zqbwz   False   67m

  $ kubectl -n cert-manager describe CertificateRequest test-cert-zqbwz
  Name:         test-cert-zqbwz
  Namespace:    cert-manager
  Labels:       <none>
  Annotations:  cert-manager.io/certificate-name: test-cert
                cert-manager.io/certificate-revision: 1
                cert-manager.io/private-key-secret-name: test-cert-gqhmj
                kubectl.kubernetes.io/last-applied-configuration:
                  {"apiVersion":"cert-manager.io/v1alpha2","kind":"Certificate","metadata":{"annotations":{},"name":"test-cert","namespace":"cert-manager"},...
  API Version:  cert-manager.io/v1
  Kind:         CertificateRequest
  Metadata:
    Creation Timestamp:  2020-10-21T17:31:24Z
    Generate Name:       test-cert-
    Generation:          1
    Owner References:
      API Version:           cert-manager.io/v1
      Block Owner Deletion:  true
      Controller:            true
      Kind:                  Certificate
      Name:                  test-cert
      UID:                   82148eee-5f4b-47d7-a09a-407e4d041101
    Resource Version:        120254090
    Self Link:               /apis/cert-manager.io/v1/namespaces/cert-manager/certificaterequests/test-cert-zqbwz
    UID:                     bb9d218d-084d-40a5-8f83-46ca5ac4f70a
  Spec:
    Issuer Ref:
      Kind:   ClusterIssuer
      Name:   letsencrypt
    Request:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSR...Q0FURSBSRVFVRVNULS0tLS0K
  Status:
    Conditions:
      Last Transition Time:  2020-10-21T17:31:24Z
      Message:               Waiting on certificate issuance from order cert-manager/test-cert-zqbwz-2027085711: "pending"
      Reason:                Pending
      Status:                False
      Type:                  Ready
  Events:                    <none>

Order :

  $ kubectl -n cert-manager get order
  NAME                         STATE     AGE
  test-cert-zqbwz-2027085711   pending   68m

  $ kubectl -n cert-manager describe order test-cert-zqbwz-2027085711
  Name:         test-cert-zqbwz-2027085711
  Namespace:    cert-manager
  Labels:       <none>
  Annotations:  cert-manager.io/certificate-name: test-cert
                cert-manager.io/certificate-revision: 1
                cert-manager.io/private-key-secret-name: test-cert-gqhmj
                kubectl.kubernetes.io/last-applied-configuration:
                  {"apiVersion":"cert-manager.io/v1alpha2","kind":"Certificate","metadata":{"annotations":{},"name":"test-cert","namespace":"cert-manager"},...
  API Version:  acme.cert-manager.io/v1
  Kind:         Order
  Metadata:
    Creation Timestamp:  2020-10-21T17:31:24Z
    Generation:          1
    Owner References:
      API Version:           cert-manager.io/v1
      Block Owner Deletion:  true
      Controller:            true
      Kind:                  CertificateRequest
      Name:                  test-cert-zqbwz
      UID:                   bb9d218d-084d-40a5-8f83-46ca5ac4f70a
    Resource Version:        120254091
    Self Link:               /apis/acme.cert-manager.io/v1/namespaces/cert-manager/orders/test-cert-zqbwz-2027085711
    UID:                     622c3ce4-fa2f-484f-a280-c125e09e37d3
  Spec:
    Common Name:  *.test.example.com
    Dns Names:
      *.test.example.com
    Issuer Ref:
      Kind:   ClusterIssuer
      Name:   letsencrypt
    Request:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBS...USUZJQ0FURSBSRVFVRVNULS0tLS0K
  Status:
    Authorizations:
      Challenges:
        Token:        QCbSEvy4g6wIHpcOyU4UkIES9TtBoKMuOOyYNVsJ13w
        Type:         dns-01
        URL:          https://acme-v02.api.letsencrypt.org/acme/chall-v3/8048950916/RQu94g
      Identifier:     test.example.com
      Initial State:  pending
      URL:            https://acme-v02.api.letsencrypt.org/acme/authz-v3/8048950916
      Wildcard:       true
    Finalize URL:     https://acme-v02.api.letsencrypt.org/acme/finalize/68054360/5803374286
    State:            pending
    URL:              https://acme-v02.api.letsencrypt.org/acme/order/68054360/5803374286
  Events:             <none>
Events:                          <none>

Why certificate order is pending state, in Route53 I do see TXT for _acme-challenge.test.example.com is created

Whats I am missing in my setup here ?

1

There are 1 answers

8
Emre Odabaş On