Comments (5)
Interesting. Another thing to remember is the rate limit that Let's Encrypt is imposing. But, shouldn't be the case because you're renewing certificates, hence doesn't apply (as stated in their rate limit documentation page).
Another thing to check and keep in mind is the duplicate certificates limit. In case of environments that deal a lot with frequent deployments (such as development envs), or where you perform a lot of testing, I think it's best to use the Let's Encrypt staging environment.
I think most people use wildcard certificates in the end, hence the dns-01 challenge option. This way, you avoid requesting too many certificates at once for multiple exposed services, and maybe avoid tricky situations such as rate limits or whatever Let's Encrypt is imposing. Another thing to take into consideration is how to perform this process gradually and stay on the safe side so to speak.
In the end, it's advised to find the root cause so that you are not hit by this issue again. If you have logging or the observability stack enabled (and I assume you do), check if you are affected by the above mentioned possible cause(s).
Hope it helps.
from kubernetes-starter-kit-developers.
Hi @jmd9019
Sorry to hear that. As far as I know cert-manager should renew certificates automatically, unless there's an issue somewhere down the chain.
Is it possible to send more information about your current setup for staging environment such as:
- Kubernetes version.
- Cert-manager version.
- Nginx ingress version.
Next, is it possible to send relevant configuration such as:
- Current Ingress resource configuration.
- Current configuration for cert-manager's Issuer resource.
Also, it would be helpful to see event information emitted by cert-manager's Issuer resource. I'm interested if any relevant messages are sent by the issuer. On top of that, logs emitted by cert-manager controller Pods is a plus as well.
Note:
Make sure to strip sensitive information from manifests and logs, if any.
Thanks.
from kubernetes-starter-kit-developers.
Hi @v-ctiutiu,
It was needed urgently so as other comments in StackOverflow suggested I changed the challenge from http01 to dns01 which renewed my certificates as of now, but don't know if I might again face same issue with dns01 challenge also
One thing I remember is that for http01 it was creating HTTP acme endpoint which I think DO loadbalancer was redirecting to https which was giving 404 error
from kubernetes-starter-kit-developers.
Hi @v-ctiutiu,
Thanks for the update I suspect that we had this issue 'Another thing to check and keep in mind is the duplicate certificates limit. In case of environments that deal a lot with frequent deployments (such as development envs), or where you perform a lot of testing, I think it's best to use the Let's Encrypt staging environment.' which you mentioned as we are continuously deploying to production new changes also I was using Let's encrypt production environment
from kubernetes-starter-kit-developers.
Closing ticket as of now will reopen again if this occurs
from kubernetes-starter-kit-developers.
Related Issues (20)
- Restic integration for velero HOT 1
- sealed-secrets chart version 2.0.2 is not deployable HOT 3
- Update starter kit tool's versions HOT 1
- Update chapter 4 with sample app HOT 1
- Update chapter 1 and chapter 4 in regards to observability node pool HOT 1
- Update step 7 alerting and notification HOT 1
- Kubernetes events into Grafana HOT 1
- Enhance chapter 7 with debugging step. HOT 1
- Continue with upgrades of Starter Kit, 1 Click Apps and container blueprints. HOT 3
- Add more information to chapter 7 related to multiple alerts and notifications HOT 1
- Chapter 7 alert rules.
- Kubernetes event driven autoscaling
- Refactor chapters 4, 5, 7 into a super chapter. HOT 2
- Incorrect table of contents on main readme HOT 1
- Kubernetes External Secret Operator Integration HOT 1
- Issuing certificate as Secret does not exist HOT 1
- Drop function is not working in promtail configuration HOT 1
- Waiting for HTTP-01 challenge propagation: failed to perform self check GET request HOT 1
- Installing the Ambassador Edge Stack Section Results in errors
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes-starter-kit-developers.