Skip to main content

Most common error using cert-manager

Most errors that occur in cert-manager are usually identified in the objects it creates, namely Order and Challenge.

Error with Credentials

You must verify that the credentials used in cert-manager are correct. Also check that the domain you are referencing to create the certificate belongs to the credential account.

...
Status:
  Reason:        Error presenting challenge: failed to change Route 53 record set: InvalidClientTokenId: The security token included in the request is invalid.duplicate-certificate-limit/
  State:         errored
Events:
  Type     Reason        Age                   From          Message
  ----     ------        ----                  ----          -------
  Warning  PresentError  1m (x20 over 1d)  cert-manager  Error presenting challenge: failed to change Route 53 record set: InvalidClientTokenId: The security token included in the request is invalid.

Solving

Get the credential and check the values:

kubectl get secret vkpr-YOUR_CLOUD-credential -o=jsonpath="{.data.VALUE}" -n vkpr | base64 --decode

Check that ClusterIssuer is pointing to the correct Let's Encrypt server and that the credentials are correctly pointing to the credential secret:

...
acme:
  email: example@vkpr.com
  preferredChain: ""
  privateKeySecretRef:
    name: letsencrypt-production-key
  server: https://acme-v02.api.letsencrypt.org/directory
  solvers:
    - dns01:
        route53:
          accessKeyIDSecretRef:
            key: access-key
            name: vkpr-aws-credential
          hostedZoneID: ...
          region: us-east-1
          secretAccessKeySecretRef:
            key: secret-key
            name: vkpr-aws-credential
      selector: {}

Too many certificates

Occurs when more than 5 certificate requests are made to the same address, you must wait a week to be requesting new certificates for the address.

...
Status:
  Reason:        Failed to create Order: 429 urn:ietf:params:acme:error:rateLimited: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: whoami.test.vkpr.com, retry after 2022-09-01T04:46:38Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/
  State:         errored
Events:          <none>

Using wrong ClusterIssuer

Check that ClusterIssuer is correctly written using the VKPR production option.

error-1

Url's used for issuing the certificates:

...
acme:
  email: example@vkpr.com
  preferredChain: ""
  privateKeySecretRef:
    name: letsencrypt-production-key
  server: https://acme-v02.api.letsencrypt.org/directory  ## Using production env
  solvers:
    ...

error-2