cert-manager certificate issuance fails due to ACME validation errors, invalid issuer configuration, or challenge failures. Fix by verifying issuer status, checking DNS/HTTP validation, and reviewing logs.
cert-manager is a Kubernetes operator that automates TLS certificate provisioning. When certificate issuance fails, the Certificate resource shows Ready: False status and the controller cannot obtain a certificate from the issuer (Let's Encrypt, private CA, etc.). This prevents Ingress/Services from using HTTPS.
View detailed status of the failing certificate:
kubectl describe certificate <cert-name>
kubectl get certificate <cert-name> -o yamlLook for "Ready: False" and check conditions for specific error.
Ensure the issuer is properly configured and ready:
kubectl describe issuer <issuer-name>
kubectl describe clusterissuer <issuer-name>If not Ready, check CA certificate validity or ACME account status.
Check if CertificateRequest shows where issuance failed:
kubectl get certificaterequest
kubectl describe certificaterequest <req-name>This shows detailed error from the issuer.
For ACME issuers, examine challenge resources:
kubectl get challenge
kubectl describe challenge <challenge-name>Look for "DNS name does not point to Waiting validation server" or HTTP connection errors.
For DNS-01 challenges, verify DNS is correctly configured:
nslookup _acme-challenge.example.com
dig _acme-challenge.example.com TXTDNS record must exist before ACME server checks it.
For HTTP-01 challenges, verify the validation endpoint is reachable:
curl -v http://example.com/.well-known/acme-challenge/<token>Must return the validation token, not redirect or 404.
If issuer uses invalid email (@example.com), delete and recreate:
kubectl delete secret letsencrypt-account -n cert-manager
kubectl delete issuer <issuer-name>
# Recreate issuer with valid emailUse real email addresses for production ACME accounts.
Check controller logs for detailed error information:
kubectl logs -n cert-manager deploy/cert-manager --tail=100
kubectl logs -n cert-manager deploy/cert-manager-webhook --tail=100Look for specific validation or API errors.
For production, use real email addresses for Let's Encrypt and monitor certificate expiration dates. Implement DNS validation (DNS-01) for wildcard certificates and internal domains. For high-volume issuance, implement certificate reuse to avoid ACME rate limits. Store ACME account credentials as secret backups. Monitor cert-manager metrics (renewal timing, failure count) for early problem detection. Use staging ACME endpoints for testing before going to production.
Failed to connect to server: connection refused (HTTP/2)
How to fix "HTTP/2 connection refused" error in Kubernetes
missing request for cpu in container
How to fix "missing request for cpu in container" in Kubernetes HPA
error: invalid configuration
How to fix "error: invalid configuration" in Kubernetes
etcdserver: cluster ID mismatch
How to fix "etcdserver: cluster ID mismatch" in Kubernetes
running with swap on is not supported
How to fix "running with swap on is not supported" in kubeadm