Cert Manager Cert Expiry Soon

CertManagerCertExpirySoon #

Meaning #

A certificate that cert-manager is maintaining is due to expire within 21 days. Typically ACME certs are updated 30 days before expiry, so this is unusual.

Ensure the certificate issuer is configured correctly. Check cert-manager logs for errors renewing this certificate.

Impact #

If the certificate is not renewed within 21 days, it’ll expire and cause TLS errors.

Diagnosis #

Check the certificates in the cluster with renewing status:

kubectl get certificates -A

Check the certificaterequests for approval and readiness:

kubectl get certificaterequests.cert-manager.io

Mitigation #

Validate that

  • cert-manager is running,
  • the ingress object for http ACME challenges are correct and
  • credentials for issuers and clusterissuers are present and up-to-date.

Source: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/eae22f642aaa5d422e4766f6811df2158fc05539/RUNBOOK.md