I've been having trouble getting a TLS certificate issued with cert-manager in my Kubernetes setup using Let's Encrypt and the DNS-01 challenge through Cloudflare. The certificate remains in a 'pending' state and doesn't move to 'Ready'. Here are the details:
- The issuer is set to 'letsencrypt-prod' and the requestor is 'system:serviceaccount:cert-manager'.
- The status shows it's waiting on certificate issuance from an order that includes 'pending'.
In terms of my configuration:
- I'm using Helm to install cert-manager.
- My ClusterIssuer is configured to use Cloudflare for the DNS-01 challenge.
- I've stored the Cloudflare API token in a secret with the right permissions.
- I'm utilizing Kong as my Ingress controller.
Here's the Ingress manifest for context:
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: webhook-receiver
namespace: flux-system
annotations:
kubernetes.io/ingress.class: kong
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- flux-webhook.-domain
secretName: flux-webhook-cert
rules:
- host: flux-webhook.-domain
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: webhook-receiver
port:
number: 80
```
Does anyone have an idea of what could be missing or how to further troubleshoot this issue? Thanks!
6 Answers
There was an outage reported by Let's Encrypt recently. You might want to check the status page to see if that's affecting your issue: https://letsencrypt.status.io.
Remember that Let's Encrypt has rate limits, which could be part of your problem. Try using their staging server first for tests, then switch to production once you’re confident everything works.
Check the logs from your cert-manager pod. That can give you some useful insights into why the certificate is stuck. Sometimes, there’s an issue with the DNS-01 challenge propagation that's causing the delay.
Make sure your issuer has a DNS solver configured. You can find instructions for that here: https://cert-manager.io/docs/tutorials/acme/dns-validation/. It's a common step that gets overlooked.
You need to enable DNS-01 authentication to let cert-manager handle the process correctly. More info can be found here: https://cert-manager.io/docs/configuration/acme/dns01/. Don't forget to set up your Helm deployment for cert-manager to use recursive name servers like 8.8.8.8 or 1.1.1.1, which can often resolve issues like this one.
I faced something similar with Digital Ocean. I found that the traffic wasn’t routed correctly due to misconfigured Cloudflare settings. Make sure your Cloudflare IP is properly set in your Nginx configuration. Also, I initially used the wrong challenge type, which caused validation errors. I'd recommend disabling Cloudflare proxy mode temporarily to troubleshoot.
I had to set up a dummy DNS record pointing to my load balancer's IP to get it working too. That way, Let's Encrypt could reach the cert-manager pods without issues.
I had a similar issue where cert-manager was waiting for HTTP-01 challenge propagation and I kept getting a timeout error. It's usually a sign that the challenge path is unreachable.