Is this project still active? about kubernetes-letsencrypt HOT 22 CLOSED

Hey!

We still use this for provisioning certificates without issue. This is not an official Let's Encrypt project though.

Do you receive some sort of error output from the controller?

from kubernetes-letsencrypt.

Nope. Just a lot of Starting reconciliation loop for namespace... but the certs are not renewing. We have not touched this in a very long time. It was auto renewing until, it wasn't :O

I have tried re-deploying the pod but no go.

from kubernetes-letsencrypt.

Whoops didn't mean to close.

from kubernetes-letsencrypt.

Anyway to force the certs to renew?

from kubernetes-letsencrypt.

You could create a mismatch in the domain annotation on the existing certs, I'm not sure why it would stop renewing though 🤔

from kubernetes-letsencrypt.

What do you mean mismatch?

from kubernetes-letsencrypt.

I've got three domains in two different clusters that aren't renewing.

from kubernetes-letsencrypt.

I'm wondering if something changed with the library I use for the actual ACME-protocol implementation ... either way the reconciliation loop should still start running and fail further down the line.

Can you check if the acme/expiryDate annotation is present on the secrets?

What do you mean mismatch?

There's an annotation on each Secret that contains the list of domains the certificate was issued for. If you add or remove an entry from that list the controller should want to renew the certificate regardless of the expiration date.

from kubernetes-letsencrypt.

They all have expiration dates far from now. I will try removing them to see what happens.

from kubernetes-letsencrypt.

Removing the expiration dates probably won't help (it may issue warnings), but changing the domain annotation should.

from kubernetes-letsencrypt.

It just added the expiration date back, didn't error.

Oh I see, remove the entire annotation from the secret? Will try that.

from kubernetes-letsencrypt.

Removing it will get you this, but if you put data in there that doesn't match the requested certificates (on your service annotation) reconciliation will be triggered.

from kubernetes-letsencrypt.

I removed all three annotations from the secret and got an error, but it did not regenerate.

from kubernetes-letsencrypt.

Still hasn't renewed :O

from kubernetes-letsencrypt.

Did you set up an annotation with a mismatching list of domains like I suggested?

from kubernetes-letsencrypt.

I still don't know what you mean by "mismatch", could you please provide an example?

from kubernetes-letsencrypt.

Assuming your certificate annotation requests domains for foo.com, bar.com the controller will add an annotation to the secrets that mentions these domains.

If you remove one of the domains from that annotation (on the secret), or add an extra one, they will no longer match what's expected and the reconciliation loop will be forced to run.

from kubernetes-letsencrypt.

Yes I ended up removing all the annotation pieces related to this project from a domain's secret. It still did not renew.

from kubernetes-letsencrypt.

As mentioned here removing the annotation will issue a warning, which is different from a data mismatch.

Earlier versions (before SAN-support was added) did not have this annotation at all, which is why that's not considered an error.

from kubernetes-letsencrypt.

Help me out here: "If you remove one of the domains from that annotation (on the secret), or add an extra one, they will no longer match what's expected and the reconciliation loop will be forced to run."

I removed the annotation, but now you are saying: "As mentioned here removing the annotation will issue a warning, which is different from a data mismatch."

Which is it? Should I be removing (sounds like no) or I should instead just change the domain name?

What if I just delete the secret?

from kubernetes-letsencrypt.

I'm distinguishing between deleting the annotation itself and modifying the contents of the annotation.

Deleting the secret also works, though.

from kubernetes-letsencrypt.

Did you get it to work?

from kubernetes-letsencrypt.