0

I have a k3s setup and am trying to get my ingress configured with tls but the certificates are not getting signed by the CA. The error I am getting is given below:

Name: tls-cert-grafana
Namespace: grafana
Created at: 2023-09-01T17:00:42+09:00
Conditions:
  Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
  Issuing: False, Reason: Failed, Message: The certificate request has failed to complete and will be retried: Failed to wait for order resource "tls-cert-grafana-c7m5b-3111432917" to become ready: order is in "errored" state: Failed to create Order: 400 urn:ietf:params:acme:error:rejectedIdentifier: The server will not issue certificates for the identifier
DNS Names:
- grafana.my-network.com
Events:
  Type     Reason     Age    From                                       Message
  ----     ------     ----   ----                                       -------
  Normal   Issuing    2m41s  cert-manager-certificates-trigger          Issuing certificate as Secret does not exist
  Normal   Generated  2m40s  cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "tls-cert-grafana-zd2d5"
  Normal   Requested  2m40s  cert-manager-certificates-request-manager  Created new CertificateRequest resource "tls-cert-grafana-c7m5b"
  Warning  Failed     2m40s  cert-manager-certificates-issuing          The certificate request has failed to complete and will be retried: Failed to wait for order resource "tls-cert-grafana-c7m5b-3111432917" to become ready: order is in "errored" state: Failed to create Order: 400 urn:ietf:params:acme:error:rejectedIdentifier: The server will not issue certificates for the identifier
Issuer:
  Name: my-acme01
  Kind: ClusterIssuer
  Conditions:
    Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
  Events:  <none>
error when finding Secret "tls-cert-grafana": secrets "tls-cert-grafana" not found
Not Before: <none>
Not After: <none>
Renewal Time: <none>
CertificateRequest:
  Name: tls-cert-grafana-c7m5b
  Namespace: grafana
  Conditions:
    Approved: True, Reason: cert-manager.io, Message: Certificate request has been approved by cert-manager.io
  Ready: False, Reason: Failed, Message: Failed to wait for order resource "tls-cert-grafana-c7m5b-3111432917" to become ready: order is in "errored" state: Failed to create Order: 400 urn:ietf:params:acme:error:rejectedIdentifier: The server will not issue certificates for the identifier
  Events:
    Type     Reason              Age                    From                                                Message
    ----     ------              ----                   ----                                                -------
    Normal   WaitingForApproval  2m40s                  cert-manager-certificaterequests-issuer-acme        Not signing CertificateRequest until it is Approved
    Normal   WaitingForApproval  2m40s                  cert-manager-certificaterequests-issuer-ca          Not signing CertificateRequest until it is Approved
    Normal   WaitingForApproval  2m40s                  cert-manager-certificaterequests-issuer-vault       Not signing CertificateRequest until it is Approved
    Normal   WaitingForApproval  2m40s                  cert-manager-certificaterequests-issuer-venafi      Not signing CertificateRequest until it is Approved
    Normal   WaitingForApproval  2m40s                  cert-manager-certificaterequests-issuer-selfsigned  Not signing CertificateRequest until it is Approved
    Normal   cert-manager.io     2m40s                  cert-manager-certificaterequests-approver           Certificate request has been approved by cert-manager.io
    Normal   OrderCreated        2m40s                  cert-manager-certificaterequests-issuer-acme        Created Order resource grafana/tls-cert-grafana-c7m5b-3111432917
    Warning  OrderFailed         2m40s (x2 over 2m40s)  cert-manager-certificaterequests-issuer-acme        Failed to wait for order resource "tls-cert-grafana-c7m5b-3111432917" to become ready: order is in "errored" state: Failed to create Order: 400 urn:ietf:params:acme:error:rejectedIdentifier: The server will not issue certificates for the identifier
Order:
  Name: tls-cert-grafana-c7m5b-3111432917
  State: errored, Reason: Failed to create Order: 400 urn:ietf:params:acme:error:rejectedIdentifier: The server will not issue certificates for the identifier
  No Authorizations for this Order
  FailureTime: 2023-09-01T17:00:43+09:00
No Challenges found for this Certificate

Here are the yaml files for resources

Issuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: my-acme01
spec:
  acme:
    email: <my-own-email>
    server: <https-address-to-my-acme>
    privateKeySecretRef:
      name: acme-issuer
    solvers:
    - http01:
        ingress:
          class: nginx
          serviceType: ClusterIP

Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: grafana
  namespace: grafana
  annotations:
    cert-manager.io/acme-challenge-type: http01
    cert-manager.io/cluster-issuer: my-acme01
    ingress.kubernetes.io/ssl-redirect: "false"
spec:
  ingressClassName: nginx
  rules:
  - host: grafana.my-network.com 
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: grafana
            port:
              number: 80
  tls:
    - hosts:
        - grafana.my-network.com 
      secretName: tls-cert-grafana

Note: cert-manager is installed via helm, currently at version v1.12.3

Has anyone faced a similar issue or can help troubleshoot this?

Summary: Tried securing k8s ingress for grafana using cert-manager and an external ACME CA but based on the certificate logs "No Challenges found for this Certificate" and "State: errored, Reason: Failed to create Order: 400 urn:ietf:params:acme:error:rejectedIdentifier: The server will not issue certificates for the identifier". I am not sure how to troubleshoot this and need some support.

Scorch
  • 1
  • Additional info, the `Challenge` is not created so far in the grafana namespace while `CertificateRequest`, `Order` and `Certificate` are present but with `FALSE` or `errored` state – Scorch Sep 01 '23 at 08:24
  • Noticed this in the cert-manager pod logs: `"cert-manager/orders: re-queuing item due to error processing" err="ACME client for issuer not initialised/available" key="grafana/tls-cert-grafana-5kppr-185576883"` – Scorch Sep 01 '23 at 09:07

0 Answers0