Question
What is the intended way to trigger a renewal of SSL certificates for an instance hosted on Grove (i.e. on a k8s cluster that uses cert-manager) if an automated renewal failed?
Context
Today for one of the client an alert was raised, because the site became unreachable due to SSL certificate being expired. I was trying to figure out why it happened and how I can troubleshoot it, and followed the following two guides:
- Troubleshooting - cert-manager Documentation
- Troubleshooting Problems with ACME / Let's Encrypt Certificates - cert-manager Documentation
I couldn’t tell why automatic renewal failed, but I could see that CertificateRequest and Orders were stuck in pending status for 52 days.
I was trying to figure out how to trigger a renewal manually, since these old request were probably “expired”. Here I found that renewal can be triggered either via cmctl (cli-tool) or by modifying one of the mentioned fields. I couldn’t figure out how to install the cmctl in the Grove environment (I tried starting ./control/shell as root by modifying the wrapper script, and running apk update && apk add cmctl, since it’s in the index, but it was failing), so I just ran ./control/kubectl -n <namespace> edit certificate <certificate-name>, and after saving the changes, old resources got cleaned up and a new certificate was issues. However, this feels like a hack.
Is there a better way to do it?