Certificate not ready errors occur when CertificateSigningRequest approval or signing fails. Fix by verifying CSR status, checking signer configuration, and approving pending requests.
Kubernetes certificates are requested via CertificateSigningRequest (CSR) resources. When a certificate is "not ready," the CSR has been created but either not yet approved, approved but not signed by the signer, or failed to sign. This blocks TLS-based operations that depend on the certificate.
View all CSRs and their status:
kubectl get csr
kubectl describe csr <csr-name>Look for status: Pending, Approved, or Failed condition.
If CSR is Pending, manually approve it:
kubectl certificate approve <csr-name>
kubectl get csr <csr-name> -o yaml | grep -A 2 conditionsAfter approval, the signer should issue the certificate.
After approval, verify certificate field has content:
kubectl get csr <csr-name> -o jsonpath='{.status.certificate}'If empty, the signer failed to issue the certificate.
Check if kube-controller-manager is configured with CA:
kubectl get deployment -n kube-system kube-controller-manager -o yaml | grep -i "cluster-signing"Look for --cluster-signing-cert-file and --cluster-signing-key-file arguments.
List signers and their approval/signing rules:
kubectl get csr -o jsonpath="{.items[*].spec.signerName}"Common signers: kubernetes.io/kube-apiserver-client, kubernetes.io/kubelet-serving
Check logs for certificate signing errors:
kubectl logs -n kube-system -l component=kube-controller-manager | grep -i certLook for missing CA files or signing operation failures.
Ensure service account has permission to request certificates:
kubectl auth can-i create certificatesigningrequests --as=system:serviceaccount:kube-system:kubeletOnce approved and signed, extract certificate from CSR:
kubectl get csr <csr-name> -o jsonpath='{.status.certificate}' | base64 -d > cert.crt
kubectl get csr <csr-name> -o jsonpath='{.status.certificate}' | base64 -d | openssl x509 -textFor automated CSR approval, consider using RBAC-based auto-approval in clusters where security allows it. External signers (cert-manager, custom controllers) can be configured for specialized certificate needs. Always verify CA certificate validity - expired CA keys cannot sign new CSRs. For kubelet serving certificates, ensure the API server CSR signer has proper permissions. Monitor CSR resources continuously in large clusters for signing bottlenecks.
No subnets found for EKS cluster
How to fix "eks subnet not found" in Kubernetes
unable to compute replica count
How to fix "unable to compute replica count" in Kubernetes HPA
error: context not found
How to fix "error: context not found" in Kubernetes
default backend - 404
How to fix "default backend - 404" in Kubernetes Ingress
serviceaccount cannot list resource
How to fix "serviceaccount cannot list resource" in Kubernetes