New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unfortunate cert renew handling of 30d < TTL < 90d #3897
Comments
I'd like to throw my voice into this matter when using a slightly modified version of the example config here: https://cert-manager.io/docs/installation/kubernetes/
The above caused the aforementioned renew loop. Fixed using the following config:
We are running 1.3.0 simply deployed using:
|
Thanks for opening the issue! Same issue here on Slack, I was not able to reproduce this then, but seem to be able to reproduce it now with To reproduce follow steps here except for:
After creating the
|
/milestone v1.4 |
Agreed. |
I was able to check that the "hot-looping" is gone! Thank you @irbekrm for your thorough instructions for reproducing the bug. For later reference I recorded all the steps in this gist. Before: 1.3.1 hot-loop ❌E0614 08:25:42.341280 1 controller.go:158] cert-manager/controller/certificates-issuing "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
E0614 08:25:42.391172 1 controller.go:158] cert-manager/controller/certificates-readiness "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
I0614 08:25:42.440345 1 trigger_controller.go:189] cert-manager/controller/certificates-trigger "msg"="Certificate must be re-issued" "key"="default/example-com" "message"="Renewing certificate as renewal was scheduled at 2021-06-14 08:25:42 +0000 UTC" "reason"="Renewing"
I0614 08:25:42.440364 1 conditions.go:182] Setting lastTransitionTime for Certificate "example-com" condition "Issuing" to 2021-06-14 08:25:42.440361669 +0000 UTC m=+86.389069751
E0614 08:25:42.541436 1 controller.go:158] cert-manager/controller/certificates-key-manager "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
I0614 08:25:42.587701 1 conditions.go:242] Setting lastTransitionTime for CertificateRequest "example-com-p7452" condition "Approved" to 2021-06-14 08:25:42.587694028 +0000 UTC m=+86.536402120
I0614 08:25:42.595409 1 conditions.go:242] Setting lastTransitionTime for CertificateRequest "example-com-p7452" condition "Ready" to 2021-06-14 08:25:42.595403257 +0000 UTC m=+86.544111349
E0614 08:25:42.688826 1 controller.go:158] cert-manager/controller/certificaterequests-issuer-vault "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"example-com-p7452\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com-p7452"
I0614 08:25:42.694587 1 conditions.go:242] Setting lastTransitionTime for CertificateRequest "example-com-p7452" condition "Ready" to 2021-06-14 08:25:42.694582692 +0000 UTC m=+86.643290784
I0614 08:25:42.789970 1 trigger_controller.go:189] cert-manager/controller/certificates-trigger "msg"="Certificate must be re-issued" "key"="default/example-com" "message"="Renewing certificate as renewal was scheduled at 2021-06-14 08:25:42 +0000 UTC" "reason"="Renewing"
I0614 08:25:42.789990 1 conditions.go:182] Setting lastTransitionTime for Certificate "example-com" condition "Issuing" to 2021-06-14 08:25:42.789986584 +0000 UTC m=+86.738694676
E0614 08:25:42.889852 1 controller.go:158] cert-manager/controller/certificates-issuing "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
E0614 08:25:42.942085 1 controller.go:158] cert-manager/controller/certificates-key-manager "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
I0614 08:25:42.989094 1 conditions.go:242] Setting lastTransitionTime for CertificateRequest "example-com-tplcx" condition "Approved" to 2021-06-14 08:25:42.989087615 +0000 UTC m=+86.937795717
I0614 08:25:43.045876 1 conditions.go:242] Setting lastTransitionTime for CertificateRequest "example-com-tplcx" condition "Ready" to 2021-06-14 08:25:43.045869854 +0000 UTC m=+86.994577956
E0614 08:25:43.191825 1 controller.go:158] cert-manager/controller/certificates-issuing "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
E0614 08:25:43.242712 1 controller.go:158] cert-manager/controller/certificates-readiness "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
I0614 08:25:43.290881 1 trigger_controller.go:189] cert-manager/controller/certificates-trigger "msg"="Certificate must be re-issued" "key"="default/example-com" "message"="Renewing certificate as renewal was scheduled at 2021-06-14 08:25:43 +0000 UTC" "reason"="Renewing"
I0614 08:25:43.290897 1 conditions.go:182] Setting lastTransitionTime for Certificate "example-com" condition "Issuing" to 2021-06-14 08:25:43.29089462 +0000 UTC m=+87.239602712
E0614 08:25:43.390885 1 controller.go:158] cert-manager/controller/certificates-key-manager "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
I0614 08:25:43.437953 1 conditions.go:242] Setting lastTransitionTime for CertificateRequest "example-com-lxm6s" condition "Approved" to 2021-06-14 08:25:43.437948137 +0000 UTC m=+87.386656219
I0614 08:25:43.496797 1 conditions.go:242] Setting lastTransitionTime for CertificateRequest "example-com-lxm6s" condition "Ready" to 2021-06-14 08:25:43.496789742 +0000 UTC m=+87.445497824
I0614 08:25:43.590908 1 trigger_controller.go:189] cert-manager/controller/certificates-trigger "msg"="Certificate must be re-issued" "key"="default/example-com" "message"="Renewing certificate as renewal was scheduled at 2021-06-14 08:25:43 +0000 UTC" "reason"="Renewing"
I0614 08:25:43.590927 1 conditions.go:182] Setting lastTransitionTime for Certificate "example-com" condition "Issuing" to 2021-06-14 08:25:43.590925279 +0000 UTC m=+87.539633361
E0614 08:25:43.691141 1 controller.go:158] cert-manager/controller/certificates-key-manager "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
E0614 08:25:43.741897 1 controller.go:158] cert-manager/controller/certificates-issuing "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
I0614 08:25:43.789422 1 conditions.go:242] Setting lastTransitionTime for CertificateRequest "example-com-z6vfr" condition "Approved" to 2021-06-14 08:25:43.789414562 +0000 UTC m=+87.738122654
E0614 08:25:43.890094 1 controller.go:158] cert-manager/controller/certificaterequests-approver "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"example-com-z6vfr\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com-z6vfr"
I0614 08:25:43.890124 1 conditions.go:242] Setting lastTransitionTime for CertificateRequest "example-com-z6vfr" condition "Approved" to 2021-06-14 08:25:43.89012009 +0000 UTC m=+87.838828182
I0614 08:25:43.948515 1 conditions.go:242] Setting lastTransitionTime for CertificateRequest "example-com-z6vfr" condition "Ready" to 2021-06-14 08:25:43.94850995 +0000 UTC m=+87.897218032
I0614 08:25:44.041232 1 trigger_controller.go:189] cert-manager/controller/certificates-trigger "msg"="Certificate must be re-issued" "key"="default/example-com" "message"="Renewing certificate as renewal was scheduled at 2021-06-14 08:25:43 +0000 UTC" "reason"="Renewing"
I0614 08:25:44.041255 1 conditions.go:182] Setting lastTransitionTime for Certificate "example-com" condition "Issuing" to 2021-06-14 08:25:44.041250988 +0000 UTC m=+87.989959080
E0614 08:25:44.140873 1 controller.go:158] cert-manager/controller/certificates-issuing "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
E0614 08:25:44.190471 1 controller.go:158] cert-manager/controller/certificates-key-manager "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
I0614 08:25:44.239244 1 conditions.go:242] Setting lastTransitionTime for CertificateRequest "example-com-stjwx" condition "Approved" to 2021-06-14 08:25:44.239236218 +0000 UTC m=+88.187944330
I0614 08:25:44.293585 1 conditions.go:242] Setting lastTransitionTime for CertificateRequest "example-com-stjwx" condition "Ready" to 2021-06-14 08:25:44.293580385 +0000 UTC m=+88.242288467
E0614 08:25:44.440544 1 controller.go:158] cert-manager/controller/certificates-issuing "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
E0614 08:25:44.492954 1 controller.go:158] cert-manager/controller/certificates-readiness "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
I0614 08:25:44.540297 1 trigger_controller.go:189] cert-manager/controller/certificates-trigger "msg"="Certificate must be re-issued" "key"="default/example-com" "message"="Renewing certificate as renewal was scheduled at 2021-06-14 08:25:44 +0000 UTC" "reason"="Renewing"
I0614 08:25:44.540315 1 conditions.go:182] Setting lastTransitionTime for Certificate "example-com" condition "Issuing" to 2021-06-14 08:25:44.540312506 +0000 UTC m=+88.489020598
E0614 08:25:44.640953 1 controller.go:158] cert-manager/controller/certificates-key-manager "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
I0614 08:25:44.687793 1 conditions.go:242] Setting lastTransitionTime for CertificateRequest "example-com-ndjc2" condition "Approved" to 2021-06-14 08:25:44.687784197 +0000 UTC m=+88.636492309
E0614 08:25:44.787147 1 controller.go:158] cert-manager/controller/certificaterequests-approver "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"example-com-ndjc2\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com-ndjc2"
I0614 08:25:44.787175 1 conditions.go:242] Setting lastTransitionTime for CertificateRequest "example-com-ndjc2" condition "Approved" to 2021-06-14 08:25:44.787171962 +0000 UTC m=+88.735880054
I0614 08:25:44.845047 1 conditions.go:242] Setting lastTransitionTime for CertificateRequest "example-com-ndjc2" condition "Ready" to 2021-06-14 08:25:44.845041182 +0000 UTC m=+88.793749264
I0614 08:25:44.939781 1 trigger_controller.go:189] cert-manager/controller/certificates-trigger "msg"="Certificate must be re-issued" "key"="default/example-com" "message"="Renewing certificate as renewal was scheduled at 2021-06-14 08:25:44 +0000 UTC" "reason"="Renewing"
I0614 08:25:44.939797 1 conditions.go:182] Setting lastTransitionTime for Certificate "example-com" condition "Issuing" to 2021-06-14 08:25:44.939795375 +0000 UTC m=+88.888503457
E0614 08:25:45.040939 1 controller.go:158] cert-manager/controller/certificates-issuing "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
E0614 08:25:45.091132 1 controller.go:158] cert-manager/controller/certificates-key-manager "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
I0614 08:25:45.138539 1 conditions.go:242] Setting lastTransitionTime for CertificateRequest "example-com-6zkqg" condition "Approved" to 2021-06-14 08:25:45.138529396 +0000 UTC m=+89.087237498
I0614 08:25:45.195824 1 conditions.go:242] Setting lastTransitionTime for CertificateRequest "example-com-6zkqg" condition "Ready" to 2021-06-14 08:25:45.195817356 +0000 UTC m=+89.144525448
E0614 08:25:45.339247 1 controller.go:158] cert-manager/controller/certificates-issuing "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
E0614 08:25:45.391186 1 controller.go:158] cert-manager/controller/certificates-readiness "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com"
I0614 08:25:45.440188 1 trigger_controller.go:189] cert-manager/controller/certificates-trigger "msg"="Certificate must be re-issued" "key"="default/example-com" "message"="Renewing certificate as renewal was scheduled at 2021-06-14 08:25:45 +0000 UTC" "reason"="Renewing"
I0614 08:25:45.440208 1 conditions.go:182] Setting lastTransitionTime for Certificate "example-com" condition "Issuing" to 2021-06-14 08:25:45.4402043 +0000 UTC m=+89.388912392
E0614 08:25:45.541499 1 controller.go:158] cert-manager/controller/certificates-key-manager "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"example-com\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/example-com" After: 1.4.0-beta.1 no hot-loop ✅
|
Since I can't reopen the issue #3813, here's a new one:
Despite the code handling certificate TTLs <= 30d, I encountered the renew loop as mentioned in #3813 with cert-manager 1.20, when Vault issues certificates with TTL=30d.
Instead of the current code, renewBefore should be calculated as
min(TTL/3, 30d)
to get a sane renew period for TTLs between 30d and 90d.The text was updated successfully, but these errors were encountered: