Orders

Order resources are used by the ACME issuer to manage the lifecycle of an ACME ‘order’ for a signed TLS certificate.

When a Certificate resource is created that references an ACME issuer, cert-manager will create an Order resource in order to obtain a signed certificate.

As an end-user, you will never need to manually create an Order resource. Once created, an Order cannot be changed. Instead, a new Order resource must be created.

Debugging Order resources

In order to debug why a Certificate isn’t being issued, we can first run kubectl describe on the Certificate resource we’re having issues with:

$ kubectl describe certificate example-com

...
Events:
  Type    Reason        Age   From          Message
  ----    ------        ----  ----          -------
  Normal  Generated     1m    cert-manager  Generated new private key
  Normal  OrderCreated  1m    cert-manager  Created Order resource "example-com-1217431265"

We can see here that Certificate controller has created an Order resource to request a new certificate from the ACME server.

Orders are a useful source of information when debugging failures issuing ACME certificates. By running kubectl describe order on a particular order, information can be gleaned about failures in the process:

$ kubectl describe order example-com-1248919344

...
Reason:
State:         pending
URL:           https://acme-v02.api.letsencrypt.org/acme/order/41123272/265506123
Events:
  Type    Reason   Age   From          Message
  ----    ------   ----  ----          -------
  Normal  Created  1m    cert-manager  Created Challenge resource "example-com-1217431265-0" for domain "test1.example.com"
  Normal  Created  1m    cert-manager  Created Challenge resource "example-com-1217431265-1" for domain "test2.example.com"

Here we can see that cert-manager has created two Challenge resources in order to fulfil the requirements of the ACME order to obtain a signed certificate.

You can then go on to run kubectl describe challenge example-com-1217431265-0 to further debug the progress of the Order.

Once an Order is successful, you should see an event like the following:

$ kubectl describe order example-com-1248919344

...
Reason:
State:         valid
URL:           https://acme-v02.api.letsencrypt.org/acme/order/41123272/265506123
Events:
  Type    Reason      Age   From          Message
  ----    ------      ----  ----          -------
  Normal  Created     72s   cert-manager  Created Challenge resource "example-com-1217431265-0" for domain "test1.example.com"
  Normal  Created     72s   cert-manager  Created Challenge resource "example-com-1217431265-1" for domain "test2.example.com"
  Normal  OrderValid  4s    cert-manager  Order completed successfully

If the Order is not completing successfully, you can debug the challenges for the Order by running kubectl describe on the Challenge resource.

For more information on debugging Challenge resources, read the challenge reference docs.