Lessons learnt after two years usage of cert-manager

- 2 minutes read - 214 words

Yesterday I spent one or two hours to resolve a pending order issue. I encountered the issue before when I configured cert-manager with ACME. However after a short while detour to flutter(ios,android) development, I couldn’t quickly locate the root causes. This made me think that it is better off to note down the lessons I leant here.

DNS01 vs HTTP01

HTTP01 is quite easy to setup for one domain name. it is better to use DNS01 for many subdomains and their certificates.

Troubeshooting

Troubeshooting in the cert-manager site are useful for cases mentioned in the site. There are several cases not mentioned in the site. Here I list cases I encountered which I couln’t find in cert-manager site.

Pending orders without challenges generated.

  1. make sure the domain names and issuer/cluster issuer references are correct

  2. Does Corresponding issuer/cluster issuer include a resolver which include the domain names?

    kubectl logs  -l app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager | grep 'no configured challenge solvers can be used for this challenge'

  3. Is webhook correctly configured in issuer/cluster issuer?

  4. webhook pod can be accessible from api server ? : api server logs or events

  5. Does webhook work? : log check and events

Challenges and HTTP01

Do configure DNS first, so ACME/Let’s encrypt can resolve to the host to present challenges

References:

  1. https://cert-manager.io/docs/troubleshooting/

  2. https://cert-manager.io/docs/troubleshooting/acme/

  3. https://cert-manager.io/docs/troubleshooting/webhook/

comments powered by Disqus