Mercurial > code > home > repos > pomerium
comparison tasks.py @ 11:54b0edb7cca8
debug notes
| author | drewp@bigasterisk.com |
|---|---|
| date | Mon, 12 Dec 2022 23:24:30 -0800 |
| parents | d3caeaf39d87 |
| children | 695948b426ae |
comparison
equal
deleted
inserted
replaced
| 10:037539eb52c3 | 11:54b0edb7cca8 |
|---|---|
| 18 | 18 |
| 19 try: | 19 try: |
| 20 ctx.run("kubectl get -n pomerium ingress | grep 80") | 20 ctx.run("kubectl get -n pomerium ingress | grep 80") |
| 21 except UnexpectedExit: | 21 except UnexpectedExit: |
| 22 raise SystemExit("expected cm-acme-http-solver-... ingress on port 80") | 22 raise SystemExit("expected cm-acme-http-solver-... ingress on port 80") |
| 23 | |
| 24 ''' | |
| 25 troubleshooting, based on | |
| 26 https://cert-manager.io/docs/troubleshooting/ | |
| 27 then | |
| 28 https://cert-manager.io/docs/concepts/acme-orders-challenges/ | |
| 29 | |
| 30 I had these open: | |
| 31 ✨ dash(pts/31):~% watch 'kubectl describe -n pomerium issuers.cert-manager.io letsencrypt-staging' | |
| 32 ✨ dash(pts/31):~% watch 'kubectl describe -n pomerium issuers.cert-manager.io letsencrypt-prod' | |
| 33 ✨ dash(pts/29):~% watch "kubectl get -n pomerium certificates.cert-manager.io -o wide" | |
| 34 ✨ dash(pts/36):~% watch 'kubectl describe -n pomerium certificaterequests.cert-manager.io' | |
| 35 ✨ dash(pts/37):~% watch 'kubectl describe -n pomerium orders.acme.cert-manager.io' | |
| 36 ✨ dash(pts/38):~% watch 'kubectl describe -n pomerium challenges.acme.cert-manager.io ' | |
| 37 | |
| 38 then i checked clusterissuer vs issuer, the ns of the 60-auth-cert.yaml resources, | |
| 39 and i often restarted cert-manager and eventually pomerium too. 10-pom-pom.yaml last line | |
| 40 may need to be toggled. | |
| 41 | |
| 42 The 'cm-acme-http-solver' ingress for LE comes and goes but i didn't have to force it to exist. | |
| 43 | |
| 44 Didn't need 04-gen-secrets-job.yaml | |
| 45 | |
| 46 Also, CM says this a lot which means it may be afraid to renew bigasterisk.com | |
| 47 | |
| 48 I1213 07:00:01.946799 1 sync.go:394] cert-manager/controller/ingress-shim "msg"="certificate resource is not owned by this object. refusing to update non-owned certificate resource for object" "related_resource_kind"="Certificate" "related_resource_name"="bigasterisk.com-tls" "related_resource_namespace"="default" "related_resource_version"="v1" "resource_kind"="Ingress" "resource_name"="registry" "resource_namespace"="default" "resource_version"="v1" | |
| 49 | |
| 50 ''' |