New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recognise finalized ACME Orders and gracefully recover by updating the Order's status when they are already in a "valid" state #2765
Comments
I'm also seeing this same error for the http01 resolver and using a single domain. https://community.letsencrypt.org/t/orders-status-valid-is-not-acceptable-for-finalization/103419 suggests that everything is fine, but cert-manager isn't handling it properly. |
This should only happen if cert-manager has a cached We could definitely look at trying to handle this better, e.g. by updating the Order's status to reflect the current state of the Order to allow for a later reconciliation to fetch the already issued certificate. I'm interested to understand what has caused this case to come up in the first place however - it shouldn't really occur unless a previous attempt to finalize the Order succeeded but updating the Order's status to reflect this change failed. We could also consider using a PATCH instead of an UPDATE operation on the Order resource to try and avoid this case. Can you see any logs that might indicate this has happened, and if so, any ideas what could cause it? Are you running multiple instances of cert-manager at once, or anything like that? |
@munnerz I have seen this, too. I believe it is due to #2741. It appears that cert-manger is using some kind of hash of the SANs to use to name the CertificateRequest and Order; in any case, if you delete and re-create a certificate, the re-created CertificateRequest, Order, and Challenge all get the same names they had before. I do not have the sequence exactly nailed down, but it goes something like this:
That does not seem exactly right to me, as I do not know all the details about how cert-manager processing works, but I think it is something like that. The key being that you can easily create duplicate orders. |
Issues go stale after 90d of inactivity. |
/remove-lifecycle stale |
We observed exactly the same issue with v1.6.1 when we tried to renew the certificate with We have recovered from this by deleting the certificate resource and issuing the renew command again. |
Issues go stale after 90d of inactivity. |
This should have been fixed in cert-manager v1.7, see #4697 |
Describe the bug:
A clear and concise description of what the bug is.
I got:
Looks similiar as one old bug: #758
Expected behaviour:
Order should be completed
Steps to reproduce the bug:
after cert manager 0.14.1 is installed with helm. create cluster issuer with dns01 resolver and using route53 to generate a cert for *.domain.com
Anything else we need to know?:
It works well for single domain name like for
a.domain.com
, and. i specified dns01 with route53 as the only resolver in cluster issuer.Environment details::
/kind bug
The text was updated successfully, but these errors were encountered: