Let’s Encrypt CN = R3: Certificate has expired or is not yet valid.

Manually Renew Let’s Encrypt Certificates via CLI

I work with a series of Kubernetes clusters that are restricted to public access via Mutual authentication and encrypted using Let’s Encrypt certificates. Normally, when renewal is required, this process is automatically done for you. But somehow on one of my dev eks clusters configured without autorenewal cert manager deployment.

The process of autorenewal is straightforward. But the challenge is difficult to recall when it is required in urgent mode. therefore I am writing this for all those who are like me who need a blog to keep it handy in time of need. So here we go…

Below screen rings the bell or we can write a script to verify the near expiry certificates in question:-

Now we know what is the application let’s move to get certificate details from the namespace:-

kubectl get certificates -n my-namespace

Let us verify we are getting a valid certificate by looking more into the status field. If you observe the certificate not valid after ” Not After: 2022-01-03T09:22:19Z “

kubectl describe certificates my-secret -n my-namespace
Status:
Conditions:
Last Transition Time: 2021-11-11T12:26:43Z
Message: Certificate is up to date and has not expired
Observed Generation: 1
Reason: Ready
Status: True
Type: Ready
Not After: 2022-01-03T09:22:19Z
Not Before: 2021-10-05T09:22:20Z
Renewal Time: 2021-12-04T09:22:19Z
Events:

Now we just delete the certificate using the below command.

kubectl delete certificate my-secret -n my-namespace

To check certificate status which get created automatically by cert manager crd, run the below command:-

kubectl get certificate -n my-namespace
NAME READY SECRET AGE
my-secret True my-secret 36s
kubectl describe certificate -n my-namespace

Status:
  Conditions:
    Last Transition Time:  2022-01-03T15:06:27Z
    Message:               Certificate is up to date and has not expired
    Observed Generation:   1
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2022-04-03T14:06:25Z
  Not Before:              2022-01-03T14:06:26Z
  Renewal Time:            2022-03-04T14:06:25Z

If you have thoughts on how to improve this process and/or the above script, please share in the comments below!

Leave a Comment