Certificate renewal bugged

Question

Certificate renewal bugged

Simon3 opened this issue 4 years ago · 2 comments

Running Voyager v12.0.0, my certificate (created 541 days ago) didn't renew, and even after restarting the voyager-operator pod, renewal doesn't work, as you can see below.
Actually, I have the exact same problem even when creating a new certificate, which is really problematic.

Logs of voyager-operator after a pod restart (so it is NOT solved by PR 1486):

2020/07/23 08:56:34 [INFO] [] acme: Trying renewal with -50 hours remaining
2020/07/23 08:56:34 [INFO] [svcacc.icure.cloud] acme: Obtaining bundled SAN certificate
2020/07/23 08:56:35 [INFO] [svcacc.icure.cloud] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6058045104
2020/07/23 08:56:35 [INFO] [svcacc.icure.cloud] acme: Could not find solver for: http-01
2020/07/23 08:56:35 [INFO] [svcacc.icure.cloud] acme: Preparing to solve DNS-01
2020/07/23 08:56:35 [INFO] [svcacc.icure.cloud] acme: Trying to solve DNS-01
2020/07/23 08:56:35 [INFO] [svcacc.icure.cloud] Checking DNS record propagation using [10.31.240.10:53]
2020/07/23 08:56:35 [INFO] Wait [timeout: 1m0s, interval: 2s]

Certificate description after above events:

Name:         wildcard-svcacc-icure-cloud
Namespace:    icure
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"voyager.appscode.com/v1beta1","kind":"Certificate","metadata":{"annotations":{},"name":"wildcard-svcacc-icure-cloud","names...
API Version:  voyager.appscode.com/v1beta1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2019-01-28T11:13:30Z
  Generation:          1
  Resource Version:    147551247
  Self Link:           /apis/voyager.appscode.com/v1beta1/namespaces/icure/certificates/wildcard-svcacc-icure-cloud
  UID:                 be6ff4ff-22ed-11e9-91e8-42010a840024
Spec:
  Acme User Secret Name:  acme-account
  Challenge Provider:
    Dns:
      Credential Secret Name:  voyager-ovh
      Provider:                ovh
  Domains:
    *.svcacc.icure.cloud
Status:
  Conditions:
    Last Update Time:  2020-04-22T06:02:38Z
    Type:              Issued
    Last Update Time:  2020-07-23T08:56:09Z
    Reason:            acme: Error -> One or more domains had a problem:
[svcacc.icure.cloud] acme: Error 403 - urn:ietf:params:acme:error:unauthorized - No TXT record found at _acme-challenge.svcacc.icure.cloud

    Type:  Failed
  Last Issued Certificate:
    Cert Stable URL:  https://acme-v02.api.letsencrypt.org/acme/cert/04080086d14c581e250ffdaa673eedb586ce
    Cert URL:         https://acme-v02.api.letsencrypt.org/acme/cert/04080086d14c581e250ffdaa673eedb586ce
    Not After:        2020-07-21T05:02:37Z
    Not Before:       2020-04-22T05:02:37Z
    Serial Number:    351172102675259756599049432585940917126862
Events:
  Type    Reason           Age   From              Message
  ----    ------           ----  ----              -------
  Normal  IssueSuccessful  50m   voyager-operator  Successfully renewed certificate
  Normal  IssueSuccessful  50m   voyager-operator  Successfully issued certificate
  Normal  IssueSuccessful  45m   voyager-operator  Successfully renewed certificate

You can see above that the "Not After" field is still outdated, and no secret was created.

Answer 1 · 2020-08-21T13:59:15.000Z

Should mainly be fixed by #1531 and #1535 should help too.

Answer 2 · 2021-10-30T16:42:19.000Z

Voyager now uses cert-manager for certificate management.