TLDR: Certificate not ready? Check resources in this order: Certificate → CertificateRequest → Order → Challenge. The issue is usually at the Challenge level.
Debugging cert-manager feels like archaeology. You start at the surface (Certificate) and dig down through layers of resources until you find where things went wrong. I’ve wasted hours staring at a Certificate stuck at “False” before learning this flow.
The debugging hierarchy Link to heading
cert-manager creates a chain of resources when you request a certificate:
- Certificate - what you create
- CertificateRequest - cert-manager’s internal request
- Order - the ACME order (for Let’s Encrypt)
- Challenge - the domain validation challenge
When something fails, the issue is almost always at the Challenge level, but you need to trace down to find it.
Start at the top Link to heading
kubectl get certificates
Look for READY status. If it’s False, something’s wrong. But this won’t tell you what - you need to dig deeper.
Check certificate requests Link to heading
kubectl get certificaterequest
This shows if cert-manager even started processing your request.
Check orders and challenges Link to heading
For ACME/Let’s Encrypt certificates:
kubectl get orders
kubectl get challenges
Challenges are where things usually break. Watch them in real time:
watch kubectl get challenges
Get the actual error Link to heading
The describe command is your friend:
kubectl describe certificate my-cert
kubectl describe certificaterequest my-cert-abc123
kubectl describe challenge my-cert-xyz789
The Events section at the bottom usually contains the actual error message.
Check cert-manager logs Link to heading
If describe doesn’t help:
kubectl logs -n cert-manager deployment/cert-manager
Or use stern for easier reading:
stern cert-manager -n cert-manager
Common issues I’ve hit Link to heading
- Challenge stuck pending - Usually DNS propagation (wait 5-10 minutes) or firewall blocking port 80/443 for HTTP-01 challenges
- Rate limited - Let’s Encrypt has strict rate limits. You get 50 certificates per domain per week. Hit this limit and you’re waiting 7 days.
- Invalid domain - DNS not pointing to your cluster, or pointing to the wrong IP
- Solver not configured - Missing or misconfigured ClusterIssuer
How long should you wait? Link to heading
- HTTP-01 challenges: Should complete within 1-2 minutes if everything’s configured correctly
- DNS-01 challenges: Can take 5-10 minutes due to DNS propagation
- If nothing happens after 15 minutes: Something’s definitely wrong - start debugging
View certificate details Link to heading
Decode the CSR to see what domains are being requested:
kubectl get certificaterequest my-cert -o jsonpath='{.spec.request}' | base64 -d | openssl req -text -noout
This is useful when you’re not sure if the certificate request matches what you expected.