No errors shown but it does not seem to be working.
klausrz opened this issue · 2 comments
Hello,
I've been struggling with letsencrypt and cert-manager but no luck. Thankfully, I found your repo.
Thanks a lot for you work.
I have a question. I followed your instructions by configuring env vars, added the lable kcert.dev.ingress: "managed" to my ingress and ran kubectl apply -f deploy.yaml. Then I saw no error in the svc/kcert log but it does not seem to be working and I do not know what to check next.
This is the output from svc/kcert
[root@bastionhost kcert]# kl svc/kcert -n kcert
{"EventId":60,"LogLevel":"Warning","Category":"Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository","Message":"Storing keys in a directory \u0027/root/.aspnet/DataProtection-Keys\u0027 that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed.","State":{"Message":"Storing keys in a directory \u0027/root/.aspnet/DataProtection-Keys\u0027 that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed.","path":"/root/.aspnet/DataProtection-Keys","{OriginalFormat}":"Storing keys in a directory \u0027{path}\u0027 that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed."}}
{"EventId":62,"LogLevel":"Information","Category":"Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager","Message":"User profile is available. Using \u0027/root/.aspnet/DataProtection-Keys\u0027 as key repository; keys will not be encrypted at rest.","State":{"Message":"User profile is available. Using \u0027/root/.aspnet/DataProtection-Keys\u0027 as key repository; keys will not be encrypted at rest.","FullName":"/root/.aspnet/DataProtection-Keys","{OriginalFormat}":"User profile is available. Using \u0027{FullName}\u0027 as key repository; keys will not be encrypted at rest."}}
{"EventId":58,"LogLevel":"Information","Category":"Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager","Message":"Creating key {9cbf982e-eabf-4d4d-93b9-429717da7667} with creation date 2022-03-17 07:03:16Z, activation date 2022-03-17 07:03:16Z, and expiration date 2022-06-15 07:03:16Z.","State":{"Message":"Creating key {9cbf982e-eabf-4d4d-93b9-429717da7667} with creation date 2022-03-17 07:03:16Z, activation date 2022-03-17 07:03:16Z, and expiration date 2022-06-15 07:03:16Z.","KeyId":"9cbf982e-eabf-4d4d-93b9-429717da7667","CreationDate":"03/17/2022 07:03:16 \u002B00:00","ActivationDate":"03/17/2022 07:03:16 \u002B00:00","ExpirationDate":"06/15/2022 07:03:16 \u002B00:00","{OriginalFormat}":"Creating key {KeyId:B} with creation date {CreationDate:u}, activation date {ActivationDate:u}, and expiration date {ExpirationDate:u}."}}
{"EventId":35,"LogLevel":"Warning","Category":"Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager","Message":"No XML encryptor configured. Key {9cbf982e-eabf-4d4d-93b9-429717da7667} may be persisted to storage in unencrypted form.","State":{"Message":"No XML encryptor configured. Key {9cbf982e-eabf-4d4d-93b9-429717da7667} may be persisted to storage in unencrypted form.","KeyId":"9cbf982e-eabf-4d4d-93b9-429717da7667","{OriginalFormat}":"No XML encryptor configured. Key {KeyId:B} may be persisted to storage in unencrypted form."}}
{"EventId":39,"LogLevel":"Information","Category":"Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository","Message":"Writing data to file \u0027/root/.aspnet/DataProtection-Keys/key-9cbf982e-eabf-4d4d-93b9-429717da7667.xml\u0027.","State":{"Message":"Writing data to file \u0027/root/.aspnet/DataProtection-Keys/key-9cbf982e-eabf-4d4d-93b9-429717da7667.xml\u0027.","FileName":"/root/.aspnet/DataProtection-Keys/key-9cbf982e-eabf-4d4d-93b9-429717da7667.xml","{OriginalFormat}":"Writing data to file \u0027{FileName}\u0027."}}
{"EventId":14,"LogLevel":"Information","Category":"Microsoft.Hosting.Lifetime","Message":"Now listening on: http://[::]:80","State":{"Message":"Now listening on: http://[::]:80","address":"http://[::]:80","{OriginalFormat}":"Now listening on: {address}"}}
{"EventId":0,"LogLevel":"Information","Category":"KCert.Services.RenewalService","Message":"Starting up renewal service.","State":{"Message":"Starting up renewal service.","{OriginalFormat}":"Starting up renewal service."}}
{"EventId":0,"LogLevel":"Information","Category":"KCert.Services.RenewalService","Message":"Checking for certs that need renewals...","State":{"Message":"Checking for certs that need renewals...","{OriginalFormat}":"Checking for certs that need renewals..."}}
{"EventId":0,"LogLevel":"Information","Category":"KCert.Services.IngressMonitorService","Message":"Watching for ingress changes","State":{"Message":"Watching for ingress changes","{OriginalFormat}":"Watching for ingress changes"}}
{"EventId":0,"LogLevel":"Information","Category":"KCert.Services.K8sClient","Message":"Watching for all ingresses with: kcert.dev/ingress=managed","State":{"Message":"Watching for all ingresses with: kcert.dev/ingress=managed","label":"kcert.dev/ingress=managed","{OriginalFormat}":"Watching for all ingresses with: {label}"}}
{"EventId":0,"LogLevel":"Information","Category":"Microsoft.Hosting.Lifetime","Message":"Application started. Press Ctrl\u002BC to shut down.","State":{"Message":"Application started. Press Ctrl\u002BC to shut down.","{OriginalFormat}":"Application started. Press Ctrl\u002BC to shut down."}}
{"EventId":0,"LogLevel":"Information","Category":"Microsoft.Hosting.Lifetime","Message":"Hosting environment: Production","State":{"Message":"Hosting environment: Production","envName":"Production","{OriginalFormat}":"Hosting environment: {envName}"}}
{"EventId":0,"LogLevel":"Information","Category":"Microsoft.Hosting.Lifetime","Message":"Content root path: /app","State":{"Message":"Content root path: /app","contentRoot":"/app","{OriginalFormat}":"Content root path: {contentRoot}"}}
{"EventId":0,"LogLevel":"Information","Category":"KCert.Services.RenewalService","Message":"Renewal check completed.","State":{"Message":"Renewal check completed.","{OriginalFormat}":"Renewal check completed."}}
{"EventId":0,"LogLevel":"Information","Category":"KCert.Services.RenewalService","Message":"Sleeping for 06:00:00","State":{"Message":"Sleeping for 06:00:00","renewalTime":"06:00:00","{OriginalFormat}":"Sleeping for {renewalTime}"}}
This is the output from ingress-nginx
W0317 07:38:02.623938 8 controller.go:1306] Error getting SSL certificate "default/echo1-tls": local SSL certificate default/echo1-tls was not found. Using default certificate
I0317 07:38:02.658305 8 admission.go:149] processed ingress via admission controller {testedIngressLength:1 testedIngressTime:0.035s renderingIngressLength:1 renderingIngressTime:0s admissionTime:18.0kBs testedConfigurationSize:0.035}
I0317 07:38:02.658334 8 main.go:101] "successfully validated configuration, accepting" ingress="default/echo-ingress"
W0317 07:38:02.663518 8 backend_ssl.go:45] Error obtaining X.509 certificate: no object matching key "default/echo1-tls" in local store
W0317 07:38:02.663632 8 controller.go:1306] Error getting SSL certificate "default/echo1-tls": local SSL certificate default/echo1-tls was not found. Using default certificate
I0317 07:38:02.663690 8 controller.go:155] "Configuration changes detected, backend reload required"
I0317 07:38:02.663955 8 event.go:282] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"echo-ingress", UID:"040e7faa-237a-41c9-968c-92f399f5ab4b", APIVersion:"networking.k8s.io/v1", ResourceVersion:"72353653", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync
I0317 07:38:02.725071 8 controller.go:172] "Backend successfully reloaded"
I0317 07:38:02.725316 8 event.go:282] Event(v1.ObjectReference{Kind:"Pod", Namespace:"ingress-nginx", Name:"ingress-nginx-controller-9f48f5d74-gjsjk", UID:"30c2ebd3-6949-4f72-943b-7a18ae7486e4", APIVersion:"v1", ResourceVersion:"70160961", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration
This is my ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: echo-ingress
labels:
kcert.dev.ingress: "managed"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- echo1.utotech.vn
secretName: echo1-tls
rules:
- host: echo1.utotech.vn
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: echo1
port:
number: 80
It seems the certificate has not been issued yet.
Is there something I'm missing?
Thanks.
I made it.
There was a typo in my ingress
Mine was kcert.dev.ingress: "managed" instead of kcert.dev/ingress: "managed"
It works.
Again. Thanks a lot for your work.
I'm glad it worked out!