Kong Ingress saying error fetching certificate even though its there

I’m trying to enable SSL on my Kong Ingress. I’m following this guide.

I installed Kong in my bare metal cluster. My Kong CRD’s are in kong namespace. I created my Kong ingress in a seperate namespace test

I was able to get cert-manager installed using the tutorial above. Now, when I opened the logs of my kong ingress controller, I am seeing below error

I0725 19:00:16.046058 1 election.go:60] starting leader election session 1
I0725 19:00:16.046097 1 leaderelection.go:242] attempting to acquire leader lease kong/ingress-controller-leader-kong-test…
E0725 19:00:16.048105 1 parser.go:1337] error fetching certificate ‘test/api-test-gozhere-com’: Secret test/api-test-gozhere-com not found
I0725 19:00:16.195498 1 kong.go:81] successfully synced configuration to Kong
I0725 19:00:16.398431 1 status.go:203] new leader elected: ingress-kong-test-6fd9469bf5-dwhx9
E0725 19:00:25.736305 1 parser.go:1337] error fetching certificate ‘test/api-test-gozhere-com’: Secret test/api-test-gozhere-com not found
I0725 19:00:25.741045 1 kong.go:68] no configuration change, skipping sync to Kong
E0725 19:00:29.070173 1 parser.go:1337] error fetching certificate ‘test/api-test-gozhere-com’: Secret test/api-test-gozhere-com not found
I0725 19:00:29.075011 1 kong.go:68] no configuration change, skipping sync to Kong
I0725 19:00:51.264473 1 leaderelection.go:252] successfully acquired lease kong/ingress-controller-leader-kong-test
I0725 19:00:51.265097 1 status.go:203] new leader elected: ingress-kong-test-6fd9469bf5-xtq6r
E0725 19:00:51.267270 1 parser.go:1337] error fetching certificate ‘test/api-test-gozhere-com’: Secret test/api-test-gozhere-com not found

Why is kong ingress controller (sitting on kong namespace) complaning about the test/api-test-gozhere-com certificate/secret not found?

I went to test namespace and I can see the secret created. Now I went to test namespace and I could see the certificate created, but I’m getting the 2 conditions below. How is it saying secret does not exist even though I can see it?

certificate

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
creationTimestamp: ‘2020-07-25T19:13:38Z’
generation: 1
name: api-test-gozhere-com
namespace: test
ownerReferences:
- apiVersion: extensions/v1beta1
blockOwnerDeletion: true
controller: true
kind: Ingress
name: ingress-service-test
uid: f59f0b05-7b30-4ede-b9f5-16ffdc10dfc5
resourceVersion: ‘67670629’
selfLink: >-
/apis/cert-manager.io/v1alpha2/namespaces/test/certificates/api-test-gozhere-com
uid: ae7567b3-0913-4eaa-bd87-a66d5f5b4518
spec:
dnsNames:
- xxx .xxx.xxxxxxx.com
issuerRef:
group: cert -manager.io
kind: ClusterIssuer
name: letsencrypt-staging
secretName: api-test-gozhere-com
status:
conditions:
- lastTransitionTime: ‘2020-07-25T19:13:38Z’
message: Issuing certificate as Secret does not exist
reason: DoesNotExist
status: ‘False’
type: Ready
- lastTransitionTime: ‘2020-07-25T19:13:39Z’
message: Issuing certificate as Secret does not exist
reason: DoesNotExist
status: ‘True’
type: Issuing
nextPrivateKeySecretName: api-test-gozhere-com-gqwd6

secret

kind: Secret
apiVersion: v1
metadata:
name: api-test-gozhere-com-gqwd6
generateName: api-test-gozhere-com-
namespace: test
selfLink: /api/v1/namespaces/test/secrets/api-test-gozhere-com-gqwd6
uid: 47472310-88db-4810-8d10-0eb00c2e7a74
resourceVersion: ‘67670626’
creationTimestamp: ‘2020-07-25T19:13:40Z’
labels:
cert -manager.io/next-private-key: ‘true’
ownerReferences:
- apiVersion: cert -manager.io/v1alpha2
kind: Certificate
name: api-test-gozhere-com
uid: ae7567b3-0913-4eaa-bd87-a66d5f5b4518
controller: true
blockOwnerDeletion: true
data:
tls.key: >-
xxxxxxxxxxxxxxxxx
type: Opaque

test/api-test-gozhere-com is the name of the cert-manager Certificate object, whereas the actual secret is test/api-test-gozhere-com-gqwd6

What I’m not entirely sure of is how that’s happening. The Secret has generateName: api-test-gozhere-com-, so that’s why it has that random suffix, but I’m not sure why cert-manager added it. My own cert-manager-managed certs don’t have the same in their Secrets. Can you check with the cert-manager team to see if they know when those generated Secret names are used/if there’s any way to toggle that behavior off?

1 Like

I have the same issue with secret, this has been generated.

kind: Secret
apiVersion: v1
metadata:
  name: webpage-cl-cert-fglpn
  generateName: webpage-cl-cert-
  namespace: test
  labels:
    cert-manager.io/next-private-key: 'true'

© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ