'Azure AKS Let's Encrypt - "Issuing certificate as Secret does not exist"
I have followed Microsoft tutorial to setup inggress but cannot issue valid SSL certificate with cert-manager. Below are describe for Ingress, ClusterIssuer and Certificate. Posted are also created by the cluster issuer, Order and 'Challenge`
Name: erpdeploymenttripletex-ingress
Namespace: tripletex
Address: 20.223.184.33
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
tls-secret terminates otterlei.northeurope.cloudapp.azure.com
Rules:
Host Path Backends
---- ---- --------
otterlei.northeurope.cloudapp.azure.com
/estataerpiconnectorapi estataconnservice:80 (10.244.1.150:8080)
/(.*) estataconnservice:80 (10.244.1.150:8080)
Annotations: acme.cert-manager.io/http01-edit-in-place: true
cert-manager.io/cluster-issuer: letsencrypt-staging
cert-manager.io/issue-temporary-certificate: true
kubernetes.io/ingress.class: tripletex
meta.helm.sh/release-name: erpideploymenttripletexprod
meta.helm.sh/release-namespace: tripletex
nginx.ingress.kubernetes.io/ssl-redirect: false
nginx.ingress.kubernetes.io/use-regex: true
Events: <none>Name: letsencrypt-staging
Namespace:
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"cert-manager.io/v1alpha2","kind":"ClusterIssuer","metadata":{"annotations":{},"name":"letsencrypt-staging"},"spec":{"acme":...
API Version: cert-manager.io/v1
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2022-03-11T08:31:50Z
Generation: 1
Managed Fields:
API Version: cert-manager.io/v1alpha2
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:acme:
.:
f:email:
f:privateKeySecretRef:
.:
f:name:
f:server:
f:solvers:
Manager: kubectl.exe
Operation: Update
Time: 2022-03-11T08:31:50Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:acme:
.:
f:lastRegisteredEmail:
f:conditions:
Manager: controller
Operation: Update
Time: 2022-03-11T08:31:51Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:acme:
f:uri:
Manager: controller
Operation: Update
Time: 2022-03-14T13:23:16Z
Resource Version: 192224854
UID: 5ef69bfc-f3a9-4bd2-8520-e390adbd1763
Spec:
Acme:
Email: [email protected]
Preferred Chain:
Private Key Secret Ref:
Name: letsencrypt-staging
Server: https://acme-staging-v02.api.letsencrypt.org/directory
Solvers:
http01:
Ingress:
Class: nginx
Pod Template:
Metadata:
Spec:
Node Selector:
kubernetes.io/os: linux
Status:
Acme:
Last Registered Email: [email protected]
Uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/47169398
Conditions:
Last Transition Time: 2022-03-11T08:31:51Z
Message: The ACME account was registered with the ACME server
Observed Generation: 1
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>Name: tls-secret
Namespace: tripletex
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"cert-manager.io/v1","kind":"Certificate","metadata":{"annotations":{},"name":"tls-secret","namespace":"tripletex"},"spec":{...
API Version: cert-manager.io/v1
Kind: Certificate
Metadata:
Creation Timestamp: 2022-03-16T09:37:39Z
Generation: 1
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:conditions:
Manager: controller
Operation: Update
Time: 2022-03-16T09:37:39Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:nextPrivateKeySecretName:
Manager: controller
Operation: Update
Time: 2022-03-16T09:37:39Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:dnsNames:
f:issuerRef:
.:
f:group:
f:kind:
f:name:
f:secretName:
Manager: kubectl.exe
Operation: Update
Time: 2022-03-16T09:37:39Z
Resource Version: 193021094
UID: e1da4438-952b-4df0-a141-1a3d29e5e9b9
Spec:
Dns Names:
otterlei.northeurope.cloudapp.azure.com
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt-staging
Secret Name: tls-secret
Status:
Conditions:
Last Transition Time: 2022-03-16T09:37:39Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: False
Type: Ready
Last Transition Time: 2022-03-16T09:37:39Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: True
Type: Issuing
Next Private Key Secret Name: tls-secret-kxkhf
Events: <none>Order
Name: tls-secret-fxpxl-1057960237
Namespace: tripletex
Labels: <none>
Annotations: cert-manager.io/certificate-name: tls-secret
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: tls-secret-kxkhf
kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"cert-manager.io/v1","kind":"Certificate","metadata":{"annotations":{},"name":"tls-secret","namespace":"tripletex"},"spec":{...
API Version: acme.cert-manager.io/v1
Kind: Order
Metadata:
Creation Timestamp: 2022-03-16T09:37:40Z
Generation: 1
Managed Fields:
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:finalizeURL:
f:state:
f:url:
Manager: controller
Operation: Update
Time: 2022-03-16T09:37:40Z
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:authorizations:
Manager: controller
Operation: Update
Time: 2022-03-16T09:37:40Z
Owner References:
API Version: cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: CertificateRequest
Name: tls-secret-fxpxl
UID: 6ec06c5a-8bd7-49a0-90a5-7d71b796f236
Resource Version: 193021106
UID: 50539071-d3ed-4d79-a2f6-6fcc79f0d41b
Spec:
Dns Names:
otterlei.northeurope.cloudapp.azure.com
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt-staging
Request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2x6Q0NBWDhDQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU5ZNQoxUHlqWmhuNnJNbUVUVnBvK0JpWEJGbFAwS0tUajJKYXZGVnhiWXJXV1BxWDdlZzBLUUI0U2xrYVlMK09IcE5tCmFqVXNOWGhGZ2pxc2s5Z2FIWnJuMS9uS284ZWRnSWxLc00vdVFrQ2tnZHQvaXMwOHN5cGxlN3dhMWVkOFNzZCsKMzhXd1ZUaUloNHFPdVRXajJIenRhbUpRNStGcWRidHJZUE5HaTNwakNBcDE0N0RWZG9xRjN0ZkQ2VTRlZjRBMQp1TnN3VFhtVU1tb2wvVlhxYmxSOWxLdmplczFSTjV5N0o4aFBKZGtEMFVtYVFXbkVUSE9tY1A1Lzk3bjBDbzdrCk1CVzR5TkoyNDJmSzAxYnJTRWx3d08rL1hkWXFSNVpQQVp3QWoxRjF6Y3hrZGs2azIrWmlpcmk3Z0U0enVJTjYKRmJLbmhOOGE3dEZHS3VYNUtzOENBd0VBQWFCU01GQUdDU3FHU0liM0RRRUpEakZETUVFd01nWURWUjBSQkNzdwpLWUluYjNSMFpYSnNaV2t1Ym05eWRHaGxkWEp2Y0dVdVkyeHZkV1JoY0hBdVlYcDFjbVV1WTI5dE1Bc0dBMVVkCkR3UUVBd0lGb0RBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQXJ3ZXFvalRocUswMEFJVFBiRUhBSk5nZk9kcmQKbVF3MTZaeXQ1a1J4Uk1Cc2VsL1dURGhzY0Q0bklqQWtpVzA2akluMUhOanVCNm1WdVprU0RnRVVLZG15bUJEUgpTcFQvSWtuWkZTci9mWkxFWXNjUnRKcTFFVmhoaTR1bG5ZUnptclkwQ3VsMGVKZzNOYitzZmxJanZMZVQ1N05mClphK3RleXZFSGpMOWVjNEVUbVRRamIxNUdaK3lKZkx6SjA4QU1Qd1JSZkFhYzBkc2RyR0Z3VEF3TGc3MWlTdnMKc3lVdmJBNzQ5T3JlOXZvcko5cjdNQk1mSXBKOXYwTGQwL3IzV1NHSXBkbko2WE1GU28wdGlOZDJlRXFxbDRBMgpEamV2YjVnVnJRTkNnNCtGQzlxbXNLeDJFR2w5MlFNQ0h3WSsrOVdteWIxTmtBbG9RSkZhN3ZIUEFnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
Status:
Authorizations:
Challenges:
Token: W7zdK6beQBcAPTSTrc_6Mv_wiDknSgh3i1XKb617Nos
Type: http-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/1913552008/KocZGw
Token: W7zdK6beQBcAPTSTrc_6Mv_wiDknSgh3i1XKb617Nos
Type: dns-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/1913552008/x0hWcg
Token: W7zdK6beQBcAPTSTrc_6Mv_wiDknSgh3i1XKb617Nos
Type: tls-alpn-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/1913552008/Hidh4g
Identifier: otterlei.northeurope.cloudapp.azure.com
Initial State: pending
URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1913552008
Wildcard: false
Finalize URL: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/47169398/2042532738
State: pending
URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/47169398/2042532738
Events: <none>challenge
Name: tls-secret-fxpxl-1057960237-691767986
Namespace: tripletex
Labels: <none>
Annotations: <none>
API Version: acme.cert-manager.io/v1
Kind: Challenge
Metadata:
Creation Timestamp: 2022-03-16T09:37:40Z
Finalizers:
finalizer.acme.cert-manager.io
Generation: 1
Managed Fields:
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:finalizers:
.:
v:"finalizer.acme.cert-manager.io":
f:ownerReferences:
.:
k:{"uid":"50539071-d3ed-4d79-a2f6-6fcc79f0d41b"}:
f:spec:
.:
f:authorizationURL:
f:dnsName:
f:issuerRef:
.:
f:group:
f:kind:
f:name:
f:key:
f:solver:
.:
f:http01:
.:
f:ingress:
.:
f:class:
f:podTemplate:
.:
f:metadata:
f:spec:
.:
f:nodeSelector:
.:
f:kubernetes.io/os:
f:token:
f:type:
f:url:
f:wildcard:
Manager: controller
Operation: Update
Time: 2022-03-16T09:37:40Z
Owner References:
API Version: acme.cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: Order
Name: tls-secret-fxpxl-1057960237
UID: 50539071-d3ed-4d79-a2f6-6fcc79f0d41b
Resource Version: 193021107
UID: 665341e0-2745-48c2-a985-166e58646d44
Spec:
Authorization URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1913552008
Dns Name: otterlei.northeurope.cloudapp.azure.com
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt-staging
Key: W7zdK6beQBcAPTSTrc_6Mv_wiDknSgh3i1XKb617Nos.PeCQyw56kTw4k7brocD-LfWP2NllTueut46pJ7EU2yw
Solver:
http01:
Ingress:
Class: nginx
Pod Template:
Metadata:
Spec:
Node Selector:
kubernetes.io/os: linux
Token: W7zdK6beQBcAPTSTrc_6Mv_wiDknSgh3i1XKb617Nos
Type: HTTP-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/1913552008/KocZGw
Wildcard: false
Events: <none>Solution 1:[1]
The message "Issuing certificate as Secret does not exist" is ok as the secret with the cert does not exist.
Can you try this config:
Cluster issuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
namespace: cert-manager
spec:
acme:
email: EMAIL
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: issuer-key
solvers:
- http01:
ingress:
class: nginx
Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt
spec:
ingressClassName: nginx
rules:
- host: YOUR_URL
http:
paths:
- backend:
service:
name: DEMO
port:
number: 80
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- YOUR_URL
secretName: YOUR_URL
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Philip Welz |