No errors shown but it does not seem to be working.

Question

No errors shown but it does not seem to be working.

klausrz opened this issue 2 years ago · 2 comments

Hello,

I've been struggling with letsencrypt and cert-manager but no luck. Thankfully, I found your repo.
Thanks a lot for you work.

I have a question. I followed your instructions by configuring env vars, added the lable kcert.dev.ingress: "managed" to my ingress and ran kubectl apply -f deploy.yaml. Then I saw no error in the svc/kcert log but it does not seem to be working and I do not know what to check next.

This is the output from svc/kcert

[root@bastionhost kcert]# kl svc/kcert -n kcert
{"EventId":60,"LogLevel":"Warning","Category":"Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository","Message":"Storing keys in a directory \u0027/root/.aspnet/DataProtection-Keys\u0027 that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed.","State":{"Message":"Storing keys in a directory \u0027/root/.aspnet/DataProtection-Keys\u0027 that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed.","path":"/root/.aspnet/DataProtection-Keys","{OriginalFormat}":"Storing keys in a directory \u0027{path}\u0027 that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed."}}
{"EventId":62,"LogLevel":"Information","Category":"Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager","Message":"User profile is available. Using \u0027/root/.aspnet/DataProtection-Keys\u0027 as key repository; keys will not be encrypted at rest.","State":{"Message":"User profile is available. Using \u0027/root/.aspnet/DataProtection-Keys\u0027 as key repository; keys will not be encrypted at rest.","FullName":"/root/.aspnet/DataProtection-Keys","{OriginalFormat}":"User profile is available. Using \u0027{FullName}\u0027 as key repository; keys will not be encrypted at rest."}}
{"EventId":58,"LogLevel":"Information","Category":"Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager","Message":"Creating key {9cbf982e-eabf-4d4d-93b9-429717da7667} with creation date 2022-03-17 07:03:16Z, activation date 2022-03-17 07:03:16Z, and expiration date 2022-06-15 07:03:16Z.","State":{"Message":"Creating key {9cbf982e-eabf-4d4d-93b9-429717da7667} with creation date 2022-03-17 07:03:16Z, activation date 2022-03-17 07:03:16Z, and expiration date 2022-06-15 07:03:16Z.","KeyId":"9cbf982e-eabf-4d4d-93b9-429717da7667","CreationDate":"03/17/2022 07:03:16 \u002B00:00","ActivationDate":"03/17/2022 07:03:16 \u002B00:00","ExpirationDate":"06/15/2022 07:03:16 \u002B00:00","{OriginalFormat}":"Creating key {KeyId:B} with creation date {CreationDate:u}, activation date {ActivationDate:u}, and expiration date {ExpirationDate:u}."}}
{"EventId":35,"LogLevel":"Warning","Category":"Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager","Message":"No XML encryptor configured. Key {9cbf982e-eabf-4d4d-93b9-429717da7667} may be persisted to storage in unencrypted form.","State":{"Message":"No XML encryptor configured. Key {9cbf982e-eabf-4d4d-93b9-429717da7667} may be persisted to storage in unencrypted form.","KeyId":"9cbf982e-eabf-4d4d-93b9-429717da7667","{OriginalFormat}":"No XML encryptor configured. Key {KeyId:B} may be persisted to storage in unencrypted form."}}
{"EventId":39,"LogLevel":"Information","Category":"Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository","Message":"Writing data to file \u0027/root/.aspnet/DataProtection-Keys/key-9cbf982e-eabf-4d4d-93b9-429717da7667.xml\u0027.","State":{"Message":"Writing data to file \u0027/root/.aspnet/DataProtection-Keys/key-9cbf982e-eabf-4d4d-93b9-429717da7667.xml\u0027.","FileName":"/root/.aspnet/DataProtection-Keys/key-9cbf982e-eabf-4d4d-93b9-429717da7667.xml","{OriginalFormat}":"Writing data to file \u0027{FileName}\u0027."}}
{"EventId":14,"LogLevel":"Information","Category":"Microsoft.Hosting.Lifetime","Message":"Now listening on: http://[::]:80","State":{"Message":"Now listening on: http://[::]:80","address":"http://[::]:80","{OriginalFormat}":"Now listening on: {address}"}}
{"EventId":0,"LogLevel":"Information","Category":"KCert.Services.RenewalService","Message":"Starting up renewal service.","State":{"Message":"Starting up renewal service.","{OriginalFormat}":"Starting up renewal service."}}
{"EventId":0,"LogLevel":"Information","Category":"KCert.Services.RenewalService","Message":"Checking for certs that need renewals...","State":{"Message":"Checking for certs that need renewals...","{OriginalFormat}":"Checking for certs that need renewals..."}}
{"EventId":0,"LogLevel":"Information","Category":"KCert.Services.IngressMonitorService","Message":"Watching for ingress changes","State":{"Message":"Watching for ingress changes","{OriginalFormat}":"Watching for ingress changes"}}
{"EventId":0,"LogLevel":"Information","Category":"KCert.Services.K8sClient","Message":"Watching for all ingresses with: kcert.dev/ingress=managed","State":{"Message":"Watching for all ingresses with: kcert.dev/ingress=managed","label":"kcert.dev/ingress=managed","{OriginalFormat}":"Watching for all ingresses with: {label}"}}
{"EventId":0,"LogLevel":"Information","Category":"Microsoft.Hosting.Lifetime","Message":"Application started. Press Ctrl\u002BC to shut down.","State":{"Message":"Application started. Press Ctrl\u002BC to shut down.","{OriginalFormat}":"Application started. Press Ctrl\u002BC to shut down."}}
{"EventId":0,"LogLevel":"Information","Category":"Microsoft.Hosting.Lifetime","Message":"Hosting environment: Production","State":{"Message":"Hosting environment: Production","envName":"Production","{OriginalFormat}":"Hosting environment: {envName}"}}
{"EventId":0,"LogLevel":"Information","Category":"Microsoft.Hosting.Lifetime","Message":"Content root path: /app","State":{"Message":"Content root path: /app","contentRoot":"/app","{OriginalFormat}":"Content root path: {contentRoot}"}}
{"EventId":0,"LogLevel":"Information","Category":"KCert.Services.RenewalService","Message":"Renewal check completed.","State":{"Message":"Renewal check completed.","{OriginalFormat}":"Renewal check completed."}}
{"EventId":0,"LogLevel":"Information","Category":"KCert.Services.RenewalService","Message":"Sleeping for 06:00:00","State":{"Message":"Sleeping for 06:00:00","renewalTime":"06:00:00","{OriginalFormat}":"Sleeping for {renewalTime}"}}

This is the output from ingress-nginx

W0317 07:38:02.623938       8 controller.go:1306] Error getting SSL certificate "default/echo1-tls": local SSL certificate default/echo1-tls was not found. Using default certificate
I0317 07:38:02.658305       8 admission.go:149] processed ingress via admission controller {testedIngressLength:1 testedIngressTime:0.035s renderingIngressLength:1 renderingIngressTime:0s admissionTime:18.0kBs testedConfigurationSize:0.035}
I0317 07:38:02.658334       8 main.go:101] "successfully validated configuration, accepting" ingress="default/echo-ingress"
W0317 07:38:02.663518       8 backend_ssl.go:45] Error obtaining X.509 certificate: no object matching key "default/echo1-tls" in local store
W0317 07:38:02.663632       8 controller.go:1306] Error getting SSL certificate "default/echo1-tls": local SSL certificate default/echo1-tls was not found. Using default certificate
I0317 07:38:02.663690       8 controller.go:155] "Configuration changes detected, backend reload required"
I0317 07:38:02.663955       8 event.go:282] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"echo-ingress", UID:"040e7faa-237a-41c9-968c-92f399f5ab4b", APIVersion:"networking.k8s.io/v1", ResourceVersion:"72353653", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync
I0317 07:38:02.725071       8 controller.go:172] "Backend successfully reloaded"
I0317 07:38:02.725316       8 event.go:282] Event(v1.ObjectReference{Kind:"Pod", Namespace:"ingress-nginx", Name:"ingress-nginx-controller-9f48f5d74-gjsjk", UID:"30c2ebd3-6949-4f72-943b-7a18ae7486e4", APIVersion:"v1", ResourceVersion:"70160961", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration

This is my ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: echo-ingress
  labels:
    kcert.dev.ingress: "managed"
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - echo1.utotech.vn
    secretName: echo1-tls
  rules:
  - host: echo1.utotech.vn
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: echo1
            port:
              number: 80

It seems the certificate has not been issued yet.
Is there something I'm missing?

Thanks.

Answer 1 · 2022-03-17T09:02:05.000Z

I made it.
There was a typo in my ingress

Mine was kcert.dev.ingress: "managed" instead of kcert.dev/ingress: "managed"

It works.
Again. Thanks a lot for your work.

Answer 2 · 2022-03-17T13:19:17.000Z

I'm glad it worked out!