--- a/tasks.py	Mon Dec 12 23:22:03 2022 -0800
+++ b/tasks.py	Mon Dec 12 23:24:30 2022 -0800
@@ -20,3 +20,31 @@
         ctx.run("kubectl get -n pomerium ingress | grep 80")
     except UnexpectedExit:
         raise SystemExit("expected cm-acme-http-solver-... ingress on port 80")
+
+'''
+troubleshooting, based on 
+https://cert-manager.io/docs/troubleshooting/
+then
+https://cert-manager.io/docs/concepts/acme-orders-challenges/
+
+I had these open:
+✨ dash(pts/31):~% watch 'kubectl describe -n pomerium issuers.cert-manager.io letsencrypt-staging'
+✨ dash(pts/31):~% watch 'kubectl describe -n pomerium issuers.cert-manager.io letsencrypt-prod'
+✨ dash(pts/29):~% watch "kubectl get -n pomerium certificates.cert-manager.io -o wide"
+✨ dash(pts/36):~% watch 'kubectl describe -n pomerium certificaterequests.cert-manager.io'
+✨ dash(pts/37):~% watch 'kubectl describe -n pomerium orders.acme.cert-manager.io'
+✨ dash(pts/38):~% watch 'kubectl describe -n pomerium challenges.acme.cert-manager.io '
+
+then i checked clusterissuer vs issuer, the ns of the 60-auth-cert.yaml resources,
+and i often restarted cert-manager and eventually pomerium too. 10-pom-pom.yaml last line 
+may need to be toggled.
+
+The 'cm-acme-http-solver' ingress for LE comes and goes but i didn't have to force it to exist.
+
+Didn't need 04-gen-secrets-job.yaml
+
+Also, CM says this a lot which means it may be afraid to renew bigasterisk.com
+
+    I1213 07:00:01.946799       1 sync.go:394] cert-manager/controller/ingress-shim "msg"="certificate resource is not owned by this object. refusing to update non-owned certificate resource for object" "related_resource_kind"="Certificate" "related_resource_name"="bigasterisk.com-tls" "related_resource_namespace"="default" "related_resource_version"="v1" "resource_kind"="Ingress" "resource_name"="registry" "resource_namespace"="default" "resource_version"="v1"
+
+'''