Cert-manager can’t find route53 secret

It seems I did something to delete the original cert-manager Route53 secret, renewals and new certs failed with this error:

error getting route53 secret access key: secrets

For each certificate, cert-manager is trying to get the Route53 secret from the Ingress components namespace (instead of from the cert-manager namespace) I guess this is the fallback behavior when the secret does not exist in cert-managers own namespace.

After creating the secret in the cert-manager namespace again everything worked:

Issuer Not Found

I am guessing this was caused by a hard to find copy paste issue. The certificate was not getting issued because I was using:

cert-manager.io/issuer:

Instead of

cert-manager.io/cluster-issuer:

The Ingress should look like this:

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ntfy
  namespace: ntfy
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    external-dns.alpha.kubernetes.io/hostname: ntft.cetinich.net.

The symptom was that the certificaterequest had events showing that:

Referenced "Issuer" not found: issuer.cert-manager.io "letsencrypt-prod" not found

The cert-manager troubleshooting guide is very useful, kudos to the author.

Comments

comments powered by Disqus