Issues with certificates on Gardener

Symptom & Cause

During installation on Gardener, Kyma requests domain SSL certificates using the Gardener's Certificate custom resource (CR) to ensure secure communication through both Kyma UI and Kubernetes CLI.

This process can result in the following issues:

  • Certificates installation takes too long.
  • Certificate is still not ready, status is {STATUS}. Exiting... error occurs.
  • Certificates are no longer valid.

Remedy

If any of these issues appears, follow these steps:

  1. Check the status of the Certificate CR:

    Click to copy
    kubectl get certificates.cert.gardener.cloud --all-namespaces

  2. If the status of any Certificate is Error, run:

    Click to copy
    kubectl get certificates -n {CERTIFICATE_NAMESPACE} {CERTIFICATE_NAME} -o jsonpath='{ .status.message }'

The result describes the reason for the failure of issuing a domain SSL certificate. Depending on the moment when the error occurred, you can perform different actions.

  • Error during the installation
  • Error after the installation