Cert-manager can't renew cert

jrisch · May 13, 2019, 12:27pm

I have a setup with one Rancher k8s cluster, and one cluster for my apps and services. cert-manager in the rancher cluster is failing to renew the LE certificate. I get this in the log:

    I0513 12:19:38.393882       1 controller.go:68] Starting ingress-shim controller                                                                                                                                                                                                                                                                                         │
I0513 12:19:40.617820       1 controller.go:171] certificates controller: syncing item 'cattle-system/tls-rancher-ingress'                                                                                                                                                                                                                                               │
I0513 12:19:40.621714       1 sync.go:312] Preparing certificate cattle-system/tls-rancher-ingress with issuer                                                                                                                                                                                                                                                           │
I0513 12:19:40.621791       1 sync.go:319] Renewing certificate...                                                                                                                                                                                                                                                                                                       │
I0513 12:19:40.631604       1 sync.go:206] Certificate cattle-system/tls-rancher-ingress scheduled for renewal in -865 hours                                                                                                                                                                                                                                             │
E0513 12:19:40.631758       1 controller.go:180] certificates controller: Re-queuing item "cattle-system/tls-rancher-ingress" due to error processing: error creating x509 certificate: x509: only RSA and ECDSA public keys supported                                                                                                                                   │
I0513 12:19:43.636945       1 controller.go:168] ingress-shim controller: syncing item 'cattle-system/rancher'                                                                                                                                                                                                                                                           │
I0513 12:19:43.637109       1 sync.go:140] Certificate "tls-rancher-ingress" for ingress "rancher" already exists                                                                                                                                                                                                                                                        │
I0513 12:19:43.650782       1 controller.go:141] issuers controller: syncing item 'cattle-system/rancher'                                                                                                                                                                                                                                                                │
I0513 12:19:43.658058       1 setup.go:71] Signing CA verified                                                                                                                                                                                                                                                                                                           │
I0513 12:19:43.665711       1 controller.go:155] issuers controller: Finished processing work item "cattle-system/rancher"                                                                                                                                                                                                                                               │
I0513 12:19:43.690981       1 controller.go:182] ingress-shim controller: Finished processing work item "cattle-system/rancher"                                                                                                                                                                                                                                          │
I0513 12:19:44.640130       1 controller.go:171] certificates controller: syncing item 'cattle-system/tls-rancher-ingress'                                                                                                                                                                                                                                               │
I0513 12:19:44.646626       1 sync.go:312] Preparing certificate cattle-system/tls-rancher-ingress with issuer                                                                                                                                                                                                                                                           │
I0513 12:19:44.653540       1 sync.go:319] Renewing certificate...                                                                                                                                                                                                                                                                                                       │
I0513 12:19:44.684328       1 sync.go:206] Certificate cattle-system/tls-rancher-ingress scheduled for renewal in -865 hours                                                                                                                                                                                                                                             │
E0513 12:19:44.685544       1 controller.go:180] certificates controller: Re-queuing item "cattle-system/tls-rancher-ingress" due to error processing: error creating x509 certificate: x509: only RSA and ECDSA public keys supported

I’ve googled it, and search the issue board for both k8s, cert-manager and Rancher, but I can’t find a fix to it.

Can anyone shed some light on what’s going on here…?

Thanks in advance.

jrisch · May 14, 2019, 11:46am

Just to add some more info - here’s the output from kubectl describe certificate:

Name:         tls-rancher-ingress
Namespace:    cattle-system
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2019-02-06T11:16:46Z
  Generation:          2
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  rancher
    UID:                   ad94c23d-2a00-11e9-886f-86c6d7410348
  Resource Version:        13443003
  Self Link:               /apis/certmanager.k8s.io/v1alpha1/namespaces/cattle-system/certificates/tls-rancher-ingress
  UID:                     b092323d-2a00-11e9-8730-7e18805407a4
Spec:
  Acme:
    Config:
      Domains:
        REDACTED
      Http 01:
        Ingress:
  Dns Names:
    REDACTED
  Issuer Ref:
    Kind:       Issuer
    Name:       rancher
  Secret Name:  tls-rancher-ingress
Status:
  Acme:
    Order:
      URL:  https://acme-v02.api.letsencrypt.org/acme/order/50974597/304160375
  Conditions:
    Last Transition Time:  2019-04-07T10:58:35Z
    Message:               Error issuing TLS certificate: error creating x509 certificate: x509: only RSA and ECDSA public keys supported
    Reason:                ErrRenewCert
    Status:                False
    Type:                  Ready
    Last Transition Time:  <nil>
    Message:               Order validated
    Reason:                OrderValidated
    Status:                False
    Type:                  ValidateFailed
Events:
  Type    Reason     Age                     From          Message
  ----    ------     ----                    ----          -------
  Normal  RenewCert  2m10s (x1403 over 23h)  cert-manager  Renewing certificate...

Patrick_Keller · September 2, 2019, 12:06pm

Same problem. Were you able to solve it?

jrisch · September 2, 2019, 12:21pm

Yes, I got it solved. But unfortunately, for some reason, I simply can’t remember what the solution was. :-/

Patrick_Keller · September 2, 2019, 12:29pm

Ok I’ve no idea where to start. If you suddenly remember the solution please let me know

sgunalan · February 29, 2020, 8:35am

I am having the same issue. please let me know how you were able to solve this

Thanks

Topic		Replies	Views
Fresh installation of Rancher Server into RKE fails SUSE Rancher Prime	1	8858	January 30, 2021
SSL certificate renewal SUSE Rancher Prime	8	4454	December 2, 2020
Lets Encrypt Certificate renewal	0	537	October 28, 2020
Rancher 2.9.0 and cert-manager from app catalog SUSE Rancher Prime	8	6644	October 31, 2019
Certificates updated ==> disaster happened SUSE Rancher Prime	0	767	March 14, 2022

Cert-manager can't renew cert

Related topics