backstage SSL Certificate Health

3 Troubleshooting Commands

Last updated 13 weeks ago

Contributed by stewartshea

---

Public Source Code

Private Configuration

Join Discussion

---

Troubleshooting Commands

Get Namespace Certificate Summary for Namespace backstage

What does it do?

This command retrieves certificate information from the cert-manager within a specific context and namespace, and uses JSON parsing to select only the certificates that are ready for renewal or have expired. It then prints out details such as namespace, URL, renewal time, and expiration time for each selected certificate.

Command

kubectl get certificates.cert-manager.io --context=gke_runwhen-nonprod-sandbox_us-central1_sandbox-cluster-1-cluster -n backstage -ojson | jq -r --arg now "$(date +%Y-%m-%dT%H:%M:%SZ)" '.items[] | select(.status.conditions[] | select(.type == "Ready" and .status == "True")) | select(.status.renewalTime) | select((.status.notAfter | strptime("%Y-%m-%dT%H:%M:%SZ") | mktime) <= ($now | strptime("%Y-%m-%dT%H:%M:%SZ") | mktime)) | "Namespace:" + .metadata.namespace + " URL:" + .spec.dnsNames[0] + " Renews:" + .status.renewalTime + " Expires:" + .status.notAfter'

Copy to clipboard Copied to clipboard

Learn more

This multi-line content is auto-generated and used for educational purposes. Copying and pasting the multi-line text might not function as expected.

# Assign the current context and namespace to variables for easier readability
CONTEXT="your_context_here"
NAMESPACE="your_namespace_here"

# Get all certificates from cert-manager in the specified context and namespace in JSON format
kubectl get certificates.cert-manager.io --context=${CONTEXT} -n ${NAMESPACE} -ojson \
| 
# Use jq to filter and format the output
jq -r --arg now "$(date +%Y-%m-%dT%H:%M:%SZ)" '
  .items[] | 
  # Select only certificates that are ready
  select(.status.conditions[] | select(.type == "Ready" and .status == "True")) | 
  # Select certificates with renewal time and expiration date
  select(.status.renewalTime) | 
  select((.status.notAfter | strptime("%Y-%m-%dT%H:%M:%SZ") | mktime) <= ($now | strptime("%Y-%m-%dT%H:%M:%SZ") | mktime)) | 
  # Format the output with relevant information
  "Namespace:" + .metadata.namespace + " URL:" + .spec.dnsNames[0] + " Renews:" + .status.renewalTime + " Expires:" + .status.notAfter'

This multi-line command uses `kubectl` and `jq` to retrieve and format information about certificates from the cert-manager. It filters and displays relevant details such as namespace, URL, renewal time, and expiration date. The comments provide explanations for each step to help newer or less experienced devops engineers understand the command's functionality.

Helpful Links

• Cert-manager documentation
• JSON parsing tutorial

Find Unhealthy Certificates in Namespace backstage

What does it do?

This command retrieves information about certificates managed by cert-manager in the specified namespace and context, then uses jq to filter the results to only show certificates that are not ready.

Command

kubectl get --context=gke_runwhen-nonprod-sandbox_us-central1_sandbox-cluster-1-cluster -n backstage certificates.cert-manager.io -ojson | jq '[.items[] | select(.status.conditions[] | select(.type == "Ready" and .status == "False"))]'

Copy to clipboard Copied to clipboard

Learn more

This multi-line content is auto-generated and used for educational purposes. Copying and pasting the multi-line text might not function as expected.

# Set the kubectl context to the specified value for better clarity
# and if multiple contexts are available in the Kubernetes configuration
# file, this ensures that we're working with the correct cluster
CONTEXT=${CONTEXT}

# Set the namespace where the certificates are located to perform 
# operations specific to that namespace without affecting other resources
NAMESPACE=${NAMESPACE}

# Utilize kubectl to fetch the certificate resources from the specified
# context and namespace, and then output the result as JSON
certificatesJSON=$(kubectl get --context=${CONTEXT} -n ${NAMESPACE} certificates.cert-manager.io -ojson)

# Parse the JSON output using jq to select only the items where the
# status conditions indicate the certificate is not ready (status = "False")
notReadyCertificates=$(echo $certificatesJSON | jq '[.items[] | select(.status.conditions[] | select(.type == "Ready" and .status == "False"))]')

Helpful Links

• Cert-manager documentation
• Kubernetes namespace documentation
• Kubernetes context documentation
• jq documentation

Find Failed Certificate Requests and Identify Issues for Namespace backstage

What does it do?

This command retrieves certificate requests from the cert-manager.io API for a specific context and namespace, then uses jq to filter and format the output in a human-readable way, including information about the certificate request, certificate, issuer, readiness status, approval status, and corresponding messages.

Command

kubectl get certificaterequests.cert-manager.io --context=gke_runwhen-nonprod-sandbox_us-central1_sandbox-cluster-1-cluster -n backstage -o json | jq -r '.items[] | select(.status.conditions[] | select(.type == "Ready" and .status != "True")) | {certRequest: .metadata.name, certificate: (.metadata.ownerReferences[].name), issuer: .spec.issuerRef.name, readyStatus: (.status.conditions[] | select(.type == "Ready")).status, readyMessage: (.status.conditions[] | select(.type == "Ready")).message, approvedStatus: (.status.conditions[] | select(.type == "Approved")).status, approvedMessage: (.status.conditions[] | select(.type == "Approved")).message} | "\nCertificateRequest: \(.certRequest)", "Certificate: \(.certificate)", "Issuer: \(.issuer)", "Ready Status: \(.readyStatus)", "Ready Message: \(.readyMessage)", "Approved Status: \(.approvedStatus)", "Approved Message: \(.approvedMessage)\n------------"'

Copy to clipboard Copied to clipboard

Learn more

This multi-line content is auto-generated and used for educational purposes. Copying and pasting the multi-line text might not function as expected.

# Set the context and namespace for the kubectl command
CONTEXT=my-context
NAMESPACE=my-namespace

# Get the certificaterequests in JSON format using kubectl, filter the results with jq and display relevant information
kubectl get certificaterequests.cert-manager.io --context=${CONTEXT} -n ${NAMESPACE} -o json | \
  jq -r '.items[] | select(.status.conditions[] | select(.type == "Ready" and .status != "True")) | { 
    certRequest: .metadata.name, 
    certificate: (.metadata.ownerReferences[].name), 
    issuer: .spec.issuerRef.name, 
    readyStatus: (.status.conditions[] | select(.type == "Ready")).status, 
    readyMessage: (.status.conditions[] | select(.type == "Ready")).message, 
    approvedStatus: (.status.conditions[] | select(.type == "Approved")).status, 
    approvedMessage: (.status.conditions[] | select(.type == "Approved")).message 
  } | "\nCertificateRequest: \(.certRequest)", "Certificate: \(.certificate)", "Issuer: \(.issuer)", "Ready Status: \(.readyStatus)", "Ready Message: \(.readyMessage)", "Approved Status: \(.approvedStatus)", "Approved Message: \(.approvedMessage)\n------------"'

This multi-line command breaks down the original single-line command and provides comments to explain each part of the process for better understanding. It sets the context and namespace and then uses kubectl to retrieve certificaterequests in JSON format, filters the output with jq to extract specific information, and formats the results for display.

Helpful Links

---