Dzero Labs
Published in

Dzero Labs

How to Renew Let’s Encrypt Certificates Managed by cert-manager on Kubernetes

Gibbous moon in September 2020. Shot on Canon 5D Mark III, 200mm at f13 (EF70-200 f2.8L II USM). Photo by Dzero Labs.
The dreaded certificate renewal email

1- Check certificate status

kubectl describe certificates ambassador-certs -n ambassador
The certificate is going to expire in March
  • Not After is the Certificate’s expiry date. In our case, it’s 2021–03–12.
  • Not Before is typically the date that the certificate was created. That is, if you didn’t explicitly populate it this field in your Certificate resource YAML.
  • Renewal Time is the 30-day mark before the Certificate expires.

2- Delete the Certificate and Secret

3- Re-create the certificate in Kubernetes

kubectl apply -f ambassador-certificate-definiton.yml

4- Verify

kubectl describe certificates ambassador-certs -n ambassador
The new certificate expires in April
  • Reason is Ready (cert is ready)
  • Status is True (cert hasn’t gone caca)
  • Not After is now 2021–04–13. The old value was2021–03–12. Yay — it’s been updated!
kubectl get secrets -n ambassador 
The accompanying secret has been created successfully

Keeping it DevOpsy

End-to-end certificate renewal script
kubectl get certificate -n ambassador -o=jsonpath='{.items[0].status.renewalTime}'

Final Thoughts

Image source here


Other stories in my ArgoCD journey



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adri Villela

I push the boundaries of software delivery by learning from smart people who challenge the status quo | Former corporate 🤖 | On-Call Me Maybe Podcast co-host