Troubleshooting

Due to the number of components involved in the architecture, it might be hard to pinpoint why a certificate fails to issue when requested by a workload.

Check whether the certificate request was created

First, ensure that cert-manager created a CertificateRequest resource for the Certificate you created.

To do so, run the following command:

$ kubectl get certificaterequest -n <namespace>

If the certificate request is not present, check cert-manager logs to see if any error occurred when trying to create it:

$ kubectl logs -n <cert-manager-namespace> <cert-manager-pod> --tail=100

Investigate the CertificateRequest status

If the certificate request is present but not in a Ready state, check its status for error messages:

$ kubectl describe certificaterequest <certificaterequest-name> -n <namespace>

Look for any error messages in the Status section that could indicate why the request failed.

Check other services logs

If the CertificateRequest shows errors related to the issuer, check the logs of the horizon-issuer controller for more details:

$ kubectl logs -n <horizon-issuer-namespace> <horizon-issuer-pod> --tail=100

If it shows Horizon-related errors, check the Horizon instance logs or contact EVERTRUST support for assistance.