Comments (22)
Hey!
We still use this for provisioning certificates without issue. This is not an official Let's Encrypt project though.
Do you receive some sort of error output from the controller?
from kubernetes-letsencrypt.
Nope. Just a lot of Starting reconciliation loop for namespace...
but the certs are not renewing. We have not touched this in a very long time. It was auto renewing until, it wasn't :O
I have tried re-deploying the pod but no go.
from kubernetes-letsencrypt.
Whoops didn't mean to close.
from kubernetes-letsencrypt.
Anyway to force the certs to renew?
from kubernetes-letsencrypt.
You could create a mismatch in the domain annotation on the existing certs, I'm not sure why it would stop renewing though 🤔
from kubernetes-letsencrypt.
What do you mean mismatch?
from kubernetes-letsencrypt.
I've got three domains in two different clusters that aren't renewing.
from kubernetes-letsencrypt.
I'm wondering if something changed with the library I use for the actual ACME-protocol implementation ... either way the reconciliation loop should still start running and fail further down the line.
Can you check if the acme/expiryDate
annotation is present on the secrets?
What do you mean mismatch?
There's an annotation on each Secret
that contains the list of domains the certificate was issued for. If you add or remove an entry from that list the controller should want to renew the certificate regardless of the expiration date.
from kubernetes-letsencrypt.
They all have expiration dates far from now. I will try removing them to see what happens.
from kubernetes-letsencrypt.
Removing the expiration dates probably won't help (it may issue warnings), but changing the domain annotation should.
from kubernetes-letsencrypt.
It just added the expiration date back, didn't error.
Oh I see, remove the entire annotation from the secret? Will try that.
from kubernetes-letsencrypt.
Removing it will get you this, but if you put data in there that doesn't match the requested certificates (on your service annotation) reconciliation will be triggered.
from kubernetes-letsencrypt.
I removed all three annotations from the secret and got an error, but it did not regenerate.
from kubernetes-letsencrypt.
Still hasn't renewed :O
from kubernetes-letsencrypt.
Did you set up an annotation with a mismatching list of domains like I suggested?
from kubernetes-letsencrypt.
I still don't know what you mean by "mismatch", could you please provide an example?
from kubernetes-letsencrypt.
Assuming your certificate annotation requests domains for foo.com, bar.com
the controller will add an annotation to the secrets that mentions these domains.
If you remove one of the domains from that annotation (on the secret), or add an extra one, they will no longer match what's expected and the reconciliation loop will be forced to run.
from kubernetes-letsencrypt.
Yes I ended up removing all the annotation pieces related to this project from a domain's secret. It still did not renew.
from kubernetes-letsencrypt.
As mentioned here removing the annotation will issue a warning, which is different from a data mismatch.
Earlier versions (before SAN-support was added) did not have this annotation at all, which is why that's not considered an error.
from kubernetes-letsencrypt.
Help me out here: "If you remove one of the domains from that annotation (on the secret), or add an extra one, they will no longer match what's expected and the reconciliation loop will be forced to run."
I removed the annotation, but now you are saying: "As mentioned here removing the annotation will issue a warning, which is different from a data mismatch."
Which is it? Should I be removing (sounds like no) or I should instead just change the domain name?
What if I just delete the secret?
from kubernetes-letsencrypt.
I'm distinguishing between deleting the annotation itself and modifying the contents of the annotation.
Deleting the secret also works, though.
from kubernetes-letsencrypt.
Did you get it to work?
from kubernetes-letsencrypt.
Related Issues (20)
- Allow single certificate for multiple services HOT 1
- Route 53 Split-horizon DNS HOT 8
- prepareDnsChallenge cleanup exception HOT 2
- Always determine authoritative NS from root
- Support ACME V2 API and wildcard certificates HOT 5
- Influence the cert filenames HOT 3
- Add support for ingress controller secret format HOT 2
- Error creating new authz :: too many currently pending authorizations HOT 5
- NullPointerException in DnsRecordObserver.findAuthoritativeNameservers HOT 4
- Transient error: "Must agree to subscriber agreement" HOT 1
- DnsException: Login Required HOT 6
- Exception in thread "Thread-23" HOT 2
- 403 Forbidden HOT 1
- create a chained cert for nginx as well HOT 7
- Exception: empty collection can't be reduced HOT 8
- No pom.xml? HOT 1
- hanging in fail-loop HOT 2
- Failed due to invalid challenge HOT 5
- LetsencryptException: No matching zone found. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes-letsencrypt.