Manually Renew Let’s Encrypt Certificates via CLI
I work with a series of Kubernetes clusters that are restricted to public access via Mutual authentication and encrypted using Let’s Encrypt certificates. Normally, when renewal is required, this process is automatically done for you. But somehow on one of my dev eks clusters configured without autorenewal cert manager deployment.
The process of autorenewal is straightforward. But the challenge is difficult to recall when it is required in urgent mode. therefore I am writing this for all those who are like me who need a blog to keep it handy in time of need. So here we go…
Below screen rings the bell or we can write a script to verify the near expiry certificates in question:-
Now we know what is the application let’s move to get certificate details from the namespace:-
kubectl get certificates -n my-namespace
Let us verify we are getting a valid certificate by looking more into the status field. If you observe the certificate not valid after ” Not After: 2022-01-03T09:22:19Z “
kubectl describe certificates my-secret -n my-namespace
Status: Conditions: Last Transition Time: 2021-11-11T12:26:43Z Message: Certificate is up to date and has not expired Observed Generation: 1 Reason: Ready Status: True Type: Ready Not After: 2022-01-03T09:22:19Z Not Before: 2021-10-05T09:22:20Z Renewal Time: 2021-12-04T09:22:19Z Events:
Now we just delete the certificate using the below command.
kubectl delete certificate my-secret -n my-namespace
To check certificate status which get created automatically by cert manager crd, run the below command:-
kubectl get certificate -n my-namespace NAME READY SECRET AGE my-secret True my-secret 36s
kubectl describe certificate -n my-namespace Status: Conditions: Last Transition Time: 2022-01-03T15:06:27Z Message: Certificate is up to date and has not expired Observed Generation: 1 Reason: Ready Status: True Type: Ready Not After: 2022-04-03T14:06:25Z Not Before: 2022-01-03T14:06:26Z Renewal Time: 2022-03-04T14:06:25Z
If you have thoughts on how to improve this process and/or the above script, please share in the comments below!