I am creating a ClusterIssuer and a Certificate. However, there is no tls.crt on the secret! What I am doing wrong?

The clusterissuer looks like is running fine, but neither the keys has the crt

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-myapp-clusterissuer
  namespace: cert-manager
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: wildcard-myapp-com
    solvers:
      - dns01:
          cloudDNS:
            serviceAccountSecretRef:
              name: clouddns-service-account
              key: dns-service-account.json
            project: app
        selector:
          dnsNames:
            - '*.myapp.com'
            - myapp.com
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: myapp-com-tls
  namespace: cert-manager
spec:
  secretName: myapp-com-tls
  issuerRef:
    name: letsencrypt-myapp-issuer
    kind: ClusterIssuer
  commonName: '*.myapp.com'
  dnsNames:
    - 'myapp.com'
    - '*.myapp.com'

CodePudding user response：

With the information provided it is very hard to troubleshoot this, you could be hitting this bug.

You can start troubleshooting this kind of issues by following this procedure:

1. Get the certificate request name:

kubectl -n <namespace> describe certificate myapp-com-tls
...
Created new CertificateRequest resource "myapp-com-tls-xxxxxxx"

2. The request will generate an order, get the order name with the command:

kubectl -n <namespace> describe certificaterequests myapp-com-tls-xxxxxxx
…
Created Order resource <namespace>/myapp-com-tls-xxxxxxx-xxxxx

3. The order will generate a challenge resource, get that with:

kubectl -n <namespace> describe order myapp-com-tls-xxxxxxx-xxxxx
…
Created Challenge resource "myapp-com-tls-xxxxxxx-xxxxx-xxxxx" for domain "yourdomain.com"

4. Finally, with the challenge name, you can get the status of the validation for you certificate:

kubectl -n <namespace> describe challenges myapp-com-tls-xxxxxxx-xxxxx-xxxxx
...
  Reason:      Successfully authorized domain                                                                                                                                                                      
...
  Normal  Started         2m45s  cert-manager  Challenge scheduled for processing
  Normal  Presented       2m45s  cert-manager  Presented challenge using http-01 challenge mechanism
  Normal  DomainVerified  2m22s  cert-manager  Domain "yourdomain.com" verified with "http-01" validation

If the status of the challenge is other than DomainVerified, then something went wrong while requesting the certificate from let's encrypt and will see a reason in the output.