Waiting on certificate issuance from order status "pending"

Asked 16/8, 2020 at 0:47 Answered 19/7 at 11:52

Solved ssl kubernetes lets-encrypt cert-manager k3s

I'm running into an issue handling tls certificates with cert-manager, I'm following the documentation and added some extras to work with Traefik as an ingress.

Currently, I have this YAML files:

cluster-issuer.yaml

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
  namespace: secure-alexguedescom
spec:
  acme:
    email: [email protected]
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource used to store the account's private key.
      name: letsencrypt-staging
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
      - selector: {}
        http01:
          ingress:
            class: traefik-cert-manager

traefik-ingress.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    # add an annotation indicating the issuer to use.
    cert-manager.io/cluster-issuer: letsencrypt-staging
  name: secure-alexguedescom-ingress-http
  namespace: secure-alexguedescom
spec:
  rules:
  - host: secure.alexguedes.com
    http:
      paths:
      - backend:
          serviceName: secure-alexguedescom-nginx
          servicePort: 80
        path: /
  tls: 
  - hosts:
    - secure.alexguedes.com
    secretName: secure-alexguedescom-cert

cert-staging.yaml

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: secure-alexguedescom-cert
  namespace: secure-alexguedescom
spec:
  commonName: secure.alexguedes.com
  secretName: letsencrypt-staging
  dnsNames:
    - secure.alexguedes.com
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer

Inspecting the certs I have this error message:

Message: Issuing certificate as Secret does not contain a certificate
Reason: MissingData

Also inspecting the certificaterequest I have this log messages:

Status:
  Conditions:
    Last Transition Time:  2020-08-16T00:32:01Z
    Message:               Waiting on certificate issuance from order secure-alexguedescom/secure-alexguedescom-cert-q8w5p-1982372682: "pending"
    Reason:                Pending
    Status:                False
    Type:                  Ready
Events:
  Type    Reason        Age   From          Message
  ----    ------        ----  ----          -------
  Normal  OrderCreated  11m   cert-manager  Created Order resource secure-alexguedescom/secure-alexguedescom-cert-q8w5p-1982372682
  Normal  OrderPending  11m   cert-manager  Waiting on certificate issuance from order secure-alexguedescom/secure-alexguedescom-cert-q8w5p-1982372682: ""

I'm not sure which piece is wrong, using Helm v2 with Tiller and k8s v1.7

Any ideas?

Thanks in advance

Islander answered 16/8, 2020 at 0:47 Comment(1)

I experienced the same problem, but my ingress has configured basic authentication for "/" path. ACME was not able to reach .well-known URI and cannot validate my site. When I removed it, the problem disappeared. – Colvert 22/10, 2020 at 13:55

The typical problem with letsencrypt certs is the letsencrypt itself not being able to validate who you are and that you own the domain. In this case, alexguedes.com.

With cert-manager you can do Domain Validation and HTTP Validation. Based on the posted ClusterIssuer you are doing HTTP Validation. So you need to make sure that secure.alexguedes.com resolves to a globally available IP address and that Traefik port 443 is listening on that IP address.

Phaedrus answered 16/8, 2020 at 5:47 Comment(4)

Thanks for reply, seems to be a problem with Traefik, since we can't ping the external IP provided for the LB, so I'm moving to use nginx ingress controller and LB and hopefully it will be solved – Islander 17/8, 2020 at 20:20

Good to hear. If the answer is satisfactory, can you accept it? Thanks – Phaedrus 17/8, 2020 at 20:31

This was helpful thanks. I had to add a record witht the ingress external ip for all the list of hosts in the ingress in the DNS provider, and only then did the certicate issue properly. – Buckner 30/12, 2020 at 12:28

@zakariaamine : giving more information about that last step would have been very useful to others.... :| – Caste 26/5, 2021 at 19:34

If you're using Let's Encrypt, make sure you didn't hit weekly rate limit.

If you’ve hit a rate limit, we don’t have a way to temporarily reset it. You’ll need to wait until the rate limit expires after a week.

See: https://letsencrypt.org/docs/rate-limits/

You can check how many public certificates have you issued at https://crt.sh/.

Tahoe answered 19/7 at 11:52 Comment(0)

Recommended topics

Hot tags