Lets Encrypt certificate was renewed, but the secret was not replaced

[matthiasbaldi]

Hello everyone

I created a cluster a while ago with Traefik and cert-manager (with Let's Encrypt certs) and now it should replace the certs for the first time.
Some day I got the warn emails from Let's Encrypt. First I thought that the certs were not renewed but when I checked the cluster resources I saw that it got new secrets, but they are not replaced in the cert settings...

In the cert config they are configured without an ID, the renewed secrets/certs have an ID in their name (see comment below).
Additionally I saw when I describe the secret/certificate, that it is of the type Opaque. I think this should be also of the type kubernetes.io/tls as the old one is.

❯ kubectl -n default get certificates
NAME                   READY   SECRET                 AGE
website-cert         True        website-cert         70d

When I describe the certificate I get

Spec:
  ...
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-prod
  Secret Name:  website-cert
Status:
  Conditions:
    Last Transition Time:        2020-10-29T18:15:08Z
    Message:                     Certificate is up to date and has not expired
    Reason:                      Ready
    Status:                      True
    Type:                        Ready
    Last Transition Time:        2020-12-28T17:20:06Z
    Message:                     Renewing certificate as renewal was scheduled at 2020-12-28 17:15:06 +0000 UTC
    Reason:                      Renewing
    Status:                      True
    Type:                        Issuing
  Next Private Key Secret Name:  website-cert-qdd9f # <------
# this name with the ID would be correct... but may the wrong resource type?
# the old certificate/secret has the name website-cert without any ID in the suffix
  Not After:                     2021-01-27T17:15:06Z
  Not Before:                    2020-10-29T17:15:06Z
  Renewal Time:                  2020-12-28T17:15:06Z
  Revision:                      2
Events:                          <none>

When I look at this I saw that my old cert was called website-cert and not website-cert<-some-hash>.
This is hopefully just a small beginners failure in the configuration for the cert-manager.
Do you have any ideas?

Thank you for your help 🧐

[meyskens]

website-cert<-some-hash> is only used to store the private key while waiting on the certificate to be signed. If you still see that secret it means it isn't fully issued yet might be worth checking https://cert-manager.io/docs/faq/troubleshooting/

[matthiasbaldi]

I had failing challanges. Ty for hint me to that.
After describing them I saw that it have problems to accessing the generated tokens under .well-kown/
It seems that my traefik setup lost somehow the --providers.kubernetesIngress.ingressClass=traefik-cert-manager flag so the matchup between the cert-manager and the ingress did not work as expected.
After fixing that and deleting the old orders, it was able to generate new one's. This time in a valid state.

On one page that worked as described. On an other one the ClusterIssuer is not recreating an order.
Can I just wait until it will recreate a new one?

[matthiasbaldi]

Solved it today by just redeploying it... may there was an issue with the orders because I tried to cleanup them manually.
Now it seems to be up and running again. Ty.