2

I had a project hosted on kubernetes and using nginx ingress controller and cert manager to handle the SSL certificates. It was all working fine until I change the hosting of the kubernetes cluster to another data center, and I happen shut down the old cluster without backing up the private keys.

Now my sites are showing NET::ERR_CERT_AUTHORITY_INVALID.

Any suggestions on how to either revoke the old cert so that I can regenerate a new certificate in the new cluster, or if there is a way that I can override the old cert?

Thanks for helping out!

Ingress controller:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: "prod-letsencrypt"
    # nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
spec:
  tls:
  - hosts:
    - xxx.example.com
    secretName: example-tls
  rules:
  - host: xxx.example.com
    http:
      paths:
      - backend:
          serviceName: example-svc
          servicePort: 80

Issuer:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
 name: prod-letsencrypt
 namespace: cert-manager
spec:
 acme:
   # The ACME server URL
   server: https://acme-v02.api.letsencrypt.org/directory
   # Email address used for ACME registration
   email: xxx@example.com
   # Name of a secret used to store the ACME account private key
   privateKeySecretRef:
     name: prod-letsencrypt
   # Enable the HTTP-01 challenge provider
   solvers:
   - dns01:
       route53:
          region: us-east-2
          role: arn:aws:iam::xxxx:role/dns-challenge-role

describing the certificate in the new cluster and only see the cert is being requested.

Events:
  Type    Reason     Age   From          Message
  ----    ------     ----  ----          -------
  Normal  Issuing    60m   cert-manager  Issuing certificate as Secret does not exist
  Normal  Generated  60m   cert-manager  Stored new private key in temporary Secret resource "example-tls-f4xt5"
  Normal  Requested  60m   cert-manager  Created new CertificateRequest resource "example-tls-xmxqm"
何帅何
  • 21
  • 1
  • 3
  • try having a look at https://stackoverflow.com/questions/58423312/how-do-i-test-a-clusterissuer-solver/58436097?noredirect=1#comment103215785_58436097, hope this helps – Tushar Mahajan Feb 19 '21 at 04:06
  • If you want to force a renew the certificate, you can delete the Secret that keeps the certificate. Cert-manager should detect this and get a new certificate for you. You can find more information [here](https://github.com/jetstack/cert-manager/issues/854#issuecomment-415519657). If you don't have access to this TLS Secret, I think you can recreate cert manually using e.g. [Certbot](https://certbot.eff.org/) in manual mode. – matt_j Feb 22 '21 at 16:37
  • any progress ? Did you solve the problem ? – matt_j Mar 01 '21 at 10:08

0 Answers0