4 Troubleshooting OCCM

This section provides information to troubleshoot common errors that occur while installing and upgrading OCCM.

4.1 Configuration Related Issues

This section describes the most common deployment related issues and their resolution steps. It is recommended to perform the resolution steps provided in this guide. If the issue still persists, then contact My Oracle Support.

4.1.1 Issuer and Certificate Related Errors

This section describes the following issuer and certificate related issues and their resolution steps:

Secret Name Format Error

Problem: The format in which the Kubernetes secret is provided is incorrect.

For example:

test_secret : Here, underscore is not allowed

Test-secret: Here, uppercase is not allowed

Solution: You must provide a valid string that is in compliance with kubernetes regex. It must have lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. For more information, see Oracle Communications Cloud Native Core, Certificate Management Installation, Upgrade and Fault Recovery Guide.

For example:

occm-mac-secret

nrf-tls-secret

Namespace Format Error

Problem: The format in which the Kubernetes namespace is provided in the secret input is incorrect.

For example:

test_ns : Here, underscore is not allowed

Test-ns: Here, uppercase is not allowed

Solution: You must provide a valid string in compliance with Kubernetes regex. It must have lower case alphanumeric characters or '-', and must start and end with an alphanumeric character.

For example:

occm-ns

ocncc-thrust5-02

Secret Key Error

Problem: Secret data can't be found against key(s) and the configured secret key(s) are incorrect. Configured keys are not present in the Kubernetes secret or incorrect key names are provided in the input configuration.

Solution: Revisit the Kubernetes secret and provide the correct keys (filenames) in the configuration.

Input String Error

Problem: The number of characters in the string entered by the user exceeds the character limit.

Solution: The user must enter a string that does not exceed the character limit.

Incomplete TrustStore Secret Error

Problem: OCCM TrustStore secret input has missing fields. This could be because OCCM TrustStore input secret is incomplete. CA certs are missing for certificate validation.

Solution: Verify the OCCM TrustStore input secret and provide a valid one.

Invalid Secret Name

Problem: Secret name already in use as a certificate configuration already points to the same destination secret.

Solution: Provide a unique destination secret name.

Repeated Secret Error

Problem: Secret already exists on the server. In automatic life cycle management of certificate, a fresh secret is created.

Solution: Either provide a unique secret name or set the override secret flag to true. This will enable OCCM to override the existing secret.

Secret Doesn't Exist Error

Problem: Secret doesn't exist with this name. This could be because secret holding the manually created certificate (not via OCCM) doesn't exist on the server. For OCCM to start monitoring it, you must provide the corresponding input secret holding the key or certificate.

Solution: Provide details of the Kubernetes secret holding key or certificate.

Unique Secret Key Error

Problem: Secret key should be unique for same secret names. Same destination secrets may be having same keys in the Certificate configuration. Secret Key (FileNames) should be unique to avoid overriding of data.

For Example: 
"privateKeyK8sSecretOut": {
            "namespace": "occm",
            "name": "test-secret",
            "key": "occm.pem"
    }

"certK8sSecretOut": {
        "namespace": "occm",
        "name": "test-secret",
        "key": "occm.pem"
    }

Solution: Provide unique destination secret (name, namespace, and key) in the configuration.

For Example:
"privateKeyK8sSecretOut": {
            "namespace": "occm",
            "name": "test-secret",
            "key": "nrfkey.pem"
    }

"certK8sSecretOut": {
        "namespace": "occm",
        "name": "test-secret",
        "key": "nrfcert.pem"
    }

CA Bundle Secret Error

Problem: CA Bundle secret doesn't exist. This could be because CA bundle check is skipped if the input configuration is not provided. If provided, it is validated whether the provided secret exists or not.

Solution: Either skip providing input CA bundle secret details or provide a valid secret.

Invalid MAC Secret Error

Problem: Invalid MAC secret has been passed because the MAC secret provided in input MAC secret is not in valid format.

For example:

12345: Here, the secret doesn't start with the prefixes.

Solution: MAC secret is expected to have following arguments.

pass: password

env: var

file: pathname

fd: number

stdin

Invalid File Format

Problem: The key or certificate files provided don't have a valid file name. This could be because the file doesn't have an extension or a period in the end.

For example:

file: This has a period at the end

abc: This doesn't have an extension

Solution: Provide a valid file name with OCCM supported extensions.

For example:

occmkey.pem

occmcert.pem

Delete Issuer Error

Problem: Issuer can not be deleted as it is in use by certificate(s).

Solution: Delete the mapped certificates first, followed by the corresponding issuer.

Issuer ID Error

Problem: Issuer ID and name do not match because the issuer edit payload doesn't have corresponding issuer ID and name.

Solution: Verify the payload and provide the name corresponding to the issuer ID or vice versa.

Issuer Already Exists Error

Problem: Issuer already exists with given name.

Solution: Provide a unique issuer name.

Incorrect UUID Error

Problem: The uuid in the request parameter does not match the uuid in the uuid in the request body attributes. This could be for the following reasons:
  • The uuid in the request parameter is blank.
  • The uuid does not match the uuid in the certificate configuration.

Solution: The uuid in the request parameter must match the uuid in the request body attributes. Update the uuid in the request parameter.

Unable to Trigger Recreate Request

Problem: The user is unable to trigger a new recreate request because a request has already been received for the uuid.

Solution: An older recreate request is in progress. User can trigger a new request when the previous request completes processing.

Recreation Request Rejected as the Authentication Input has expired

Problem: The user is unable to recreate the OCCM certificate because the authentication input for OCCM certificate or the certificate configured under Initial CMP Client(OCCM) Authentication Options has expired.

Solution: Configure a valid active certificate in the authentication input for the OCCM certificate under Initial CMP Client(OCCM) Authentication Options.

Recreation Request Rejected as the Authentication Input is Not Available

Problem: The user is unable to recreate the OCCM certificate because no authentication input for OCCM under Initial CMP Client(OCCM) Authentication Options has been given.

Solution: Configure a valid active certificate in the authentication input for the OCCM certificate under Initial CMP Client(OCCM) Authentication Options.

Unable to Merge Certificate and Certificate Chain

Problem: The request to merge certificate and certificate chain is rejected if the Merge Cert and Chain option is selected but the secret items for the certificate and certificate chain are different.

Solution: Configure same secret item for both certificate and certificate chain.

Namespace is not Included in the Accessed Namespaces List

Problem: The user encounters logs that say the namespace used in the issuer or certificate configuration is not a part of the accessed namespaces list when upgrading OCCM. This indicates that the namespace used in the previous deployment was not included in the occmAccessedNamespaces list. This can happen for the following possible reasons:
  • The certificate may have failed in the earlier deployment because the namespace did not have the permissions needed to create or read secrets.
  • A sub-namespace might have been used which was not added to the occmAccessedNamespaces list.
These warning logs indicate that going forward, this namespace will not be accepted unless it is explicitly added to the occmAccessedNamespaces list.
Solution:
  1. If a certificate fails because of namespace validation, the user can delete and create it again, and ensure that the namespace is included in the occmAccessedNamespaces list. Alternatively, the user can edit the certificate configuration or add the missing namespace to the list.
  2. For sub-namespaces, there is no immediate impact. However, future requests using sub-namespaces will be rejected unless they are already present in the occmAccessedNamespaces list.

Unable to get Resource Secrets in the Namespace as the Secret is Forbidden

Problem: The user may encounter the forbidden secret error for the following possible reasons:
  • They don't have the permissions required to create secrets in the specified namespace.
  • When using a custom ServiceAccount, all relevant namespaces must be listed in occmAccessedNamespaces. This error happens if the list includes a namespace not covered by the custom service account.
Solution: There are two possible solutions for this scenario:
  • Delete the issuer or certificate configuration and update the namespace to one listed in occmAccessedNamespaces.
  • Create the necessary roles and role bindings using the custom service account to enable access to the desired namespace.

Unable to Edit Issuer or Certificate Configuration After Upgrade as Namespace is not Included in the Accessed Namespaces List

Problem: If a namespace is used to create an issuer or certificate in a previous release, but that namespace is not included in the occmAccessedNamespaces list, the user will encounter an error when trying to edit the issuer or certificate after upgrading. In this scenario, the user will see the "Input namespace is not a part of the accessed namespace list." error message.

Solution: The user must ensure that the namespace is added to the occmAccessedNamespaces list before upgrading.

Unable to Edit Certificate Configuration

Problem: The edited configuration contains fields that can not be edited after the certificate is created. This error is seen when the user wants to edit those fields for successfully created certificate (the current status may or may not be READY) that can not be edited after the certificate already exists.

Solution: The following fields can't be edited if the certificate already exists for the configuration:
  • Name
  • Cert Type
  • Network Function
  • Creation Mode
  • Overwrite Secret
  • Kubernetes secret details such as name, namespace, and key

4.1.2 CMP Related Issues

This section describes the following CMP related issues and their resolution steps:

Server URL Error

Problem: The issuer URL provided in the serverURL field of issuer configuration is not reachable.Could be an incorrect URL (incorrect port etc). This is causing the following errors:

CMP error: error sending server <server IP>

CMP error:transfer error

Error running CMP command

Solution: Provide a valid server URL by editing issuer configuration.

Issuer Configuration Error

Problem: Pre-shared key (MAC secret) configured in 'CMP protection for OCCM certificate' is incorrect. This is causing the following errors:

CMP error: wrong pbm value

CMP error: error validating protection

Solution: Update the issuer config with correct secret

CMP Server Certificate Error

Problem: The server certificate configured in the OCCM trust store configuration is different from that of the sender (CMP or CA server) certificate. This certificate is used for verifying signature-based protection of CMP response messages. This is causing the following errors:

CMP info: received IP

CMP info: actual name in sender DN field =<>

CMP info: does not match expected sender=<DN from server cert configured in OCCM trust store>

Solution: Update the issuer configuration with correct secret

Certificate Path Validation Error

Problem: The certificates configured in OCCM trust store are invalid or incomplete for certificate path validation of the CMP server certificate. This is causing the following errors:

CMP info: received IP

CMP error: no suitable sender cert:for msg sender name name= <CMP server DN>...

CMP error: error validating protection

Solution: Configure OCCM trust store with the corresponding CA server certificate or chain.

4.1.3 TLS Related Issues

This section describes the following TLS related issues and their resolution steps:

Hostname validation failed

Error: Hostname validation failed. The TLS server certificate presented does not have the expected server URL IP. This is causing the following errors:

CMP:apps/cmp.c:2088:CMP info: will contact https://<CA server Alias> CMP DEBUG: Starting new transaction with ID=3B:C4:18:32:75:E5:E5:C2:18:B6:5A:52:E4:AD:D2:93 CMP info: sending IR CMP DEBUG: connecting to CMP server <server IP> using TLS CMP DEBUG: disconnected from CMP server CMP error: certificate verification failed:Certificate verification at depth = 0 error = 64 (IP address mismatch)

CMP:apps/cmp.c:2088:CMP info: will contact https://<CA server Alias> CMP DEBUG: Starting new transaction with ID=<Transaction ID> CMP info: sending IR CMP DEBUG: connecting to CMP server <server IP> using TLS CMP DEBUG: disconnected from CMP server CMP error: certificate verification failed:Certificate verification at depth = 0 error = 64 (IP address mismatch)

Expected IP address = <IP> Failure for: certificate

CMP error: certificate verify failed CMP error: error sending CMP error: transfer error:request sent: IR, expected response: IP

CMP error: certificate verify failed CMP error: error sending CMP error: transfer error:request sent: IR, expected response: IP

Solution: Verifiy the TLS server certificate. One possibilty could be that the certificate has DNS name instead of IP address. In that case pass DNS in the server URL of issuer.

Certificates configured in TLS TrustStore do not provide a valid trust anchor to authenticate server identity

Error: Certificates configured in TLS TrustStore do not provide a valid trust anchor to authenticate server identity. This is causing the following errors:

CMP info: sending IR CMP DEBUG: connecting to CMP CASERVER:8446 using TLS CMP DEBUG: disconnected from CMP server CMP error: certificate verification failed:Certificate verification at depth = 1 error = 19 (self-signed certificate in certificate chain) Failure for: certificate XXXXXX

CMP error: certificate verify failed CMP error: error sending CMP error: transfer error:request sent: IR, expected response: IP

Solution: Configure the TLS TrustStore configuration under issuer with valid trust anchor.

4.2 Miscellaneous Issues

This section describes the following miscellaneous issues and their resolution steps:

Stop infinite certificate request retries

Problem: How to stop infinite certificate request retries.

Solution: Delete the certificate configuration and recreate it by following the procedure mentioned in the Oracle Communications Cloud Native Core, Certificate Management User Guide.

Incorrect certificate expiry details

Problem: The certificate expiry details indicated in Grafana dashboard does not match with validity period of the certificate configured in corresponding Kubernetes secrets.

Solution:
  1. Check if the Kubernetes secret filled against the certificate configuration is same as what is configured in the NF for that particular interface.
  2. Check if the certificates are manually filled in. If yes, initiate certificate recreation. Except for the initial integration with NF certificates, OCCM can only manage certificates created by it. OCCM does not support manual update of the certificates being monitored.

Certificate is not renewed on time

Problem: Certificate is not getting renewed on time.

Solution:
  1. Check if the Kubernetes secret filled against the certificate configuration is same as what is configured in the NF for that particular interface
  2. Check if the certificates are manually filled in. If yes, initiate certificate recreation. Except for the initial integration with NF certificates, OCCM can only manage certificates created by it. OCCM does not support manual update of the certificates being monitored.

Failed certificate creation

Problem: Certificate creation has failed.

Solution: Certificate creation could fail due to various reasons, OCCM metrics, alert and logs can be used to identify the root cause.

Failed Certificate Renewal

Problem: Certificate renewal has failed.

Solution:
  • Check CA connection alerts and metrics.
  • Check if the current certificate being renewed is deleted.
  • Check if the current certificate is already expired in which case OCCM creates a critical alert indicating the same and stop retrying of renewal. Operator needs to initiate certificate recreation.

Critical certificate expiry alert while integrating with NFs

Problem: Critical alert indicating certificate expiry is raised on integrating with NFs.

Solution: Check if the current certificate is already expired in which case OCCM creates a critical alert. Operator needs to initiate certificate recreation. (Holds true for both NF and OCCM certificate)

Certificate(s) not created for integrated NFs

Problem: Certificate(s) is not created for integrated NFs.

Solution:
  1. Check the certificate configuration. Ensure that LCM type Automatic is selected for creation in the certificate configuration. If Manual is selected, OCCM expects that the certificate is already present.
  2. Check if the Kubernetes secret filled against the certificate configuration is same as what is configured in the NF for that particular interface.

OCCM Certificate Expires When NF Certificate is About to Renew

Problem: The NF certificate is about to renew using the OCCM certificate as the signer certificate, that is, the Helm parameter useKurOldCertMode is set to true when the OCCM certificate expires.

Solution: OCCM will attempt retries for NF certificate renewal, waiting for the OCCM certificate to be in ready state. As soon as the OCCM certificate is ready, the NF certificate will use it and renewal will succeed. To manually create OCCM certificate and get it onboarded in OCCM, perform the same steps as in the OCCM certificate is expired scenario.

OCCM Certificate Expires, Secret is Deleted, or Certificate is Revoked

Problem: The certificate expires, secret is deleted, or certificate is revoked.

Solution: Recreate the certificate. For the procedure to recreate certificates, see Recreating Certificates in the Oracle Communications Cloud Native Core, Certificate Management User Guide.

No Alert When Certificate in Secret is Manually Updated or Deleted

Problem: The operator doesn't get an alert when certificate in secret is manually updated or deleted.

Solution: Verify that the monitoring service started successfully by checking that the k8sSecretMonitoring flag in custom values file.

Run the following command to Verify if the occm_alerting_rules_promha.yaml alert file has been applied or not. 
kubectl get PrometheusRule -n <namespace>

Automatic Recreation is not Triggered

Problem: Automatic recreation is not triggered when certificate in the secret is manually updated or deleted.

Solution: Verify that the monitoring service started successfully by checking that the k8sSecretMonitoring flag in custom values file.

Check if the secret getting modified or deleted is input type or output type. Automatic recreation is triggered for output type secrets when there is mismatch of data in updated certificate with certificate configuration in OCCM. Or, Output certificate secret is deleted.

If output type certificate or secret is modified, then only validity update happens and no recreation happens.

For input type certificate or secret only alert is raised.

Automatic Recreation Fails when OCCM Certificate Secret is Manually Deleted

Problem: Automatic recreation is not triggered when OCCM certificate secret is deleted or modified because input secret and OCCM certificate secret provided in issuer configuration are the same.

Solution: Auto recreation is not supported if the authentication input for OCCM certificate or certificate in Initial CMP Client(OCCM) Authentication Options is:
  1. missing
  2. has an expired certificate configured
  3. same secret is configured in the authentication inputs of OCCM (Initial CMP Client(OCCM) Authentication Options) and Other Certificate (CMP Client Authentication Options For Other certificate).
In this case, operator must manually configure the OCCM certificate in the secret.

Namespace is Deleted Manually Where the Secret was Ceated and Error Code 403 is logged in the Logs

Problem: This could be a due to hierarchical namespace or service account does not have the permission to read the namespace.

Solution:
  1. Check the type of namespace and the behavior is fine.
  2. Check permission of service account.
  3. Provide access to the service account.

Expired Certificate Handling

Problem: When CMP Identity (OCCM) or End Entity(NF) certificate expiry is detected, recreation of certificate will be attempted.

In case, the recreation of certificate fails then critical alert will be raised mentioning certificate is expired. If the recreation is successful, then certificate validity is updated.

Solution: Perform the following steps if certificates are expired and recreate fails:

For End-Entity (NF) certificates:
  1. Check the logs to identify the root cause. The possible cause could be CA connection failure.
  2. As a resolution, recreate the certificate if CA is accessible. Alert will be cleared once recreation is successful.
  3. If CA is still down then create End-Entity (NF) certificate manually and update details in secret, which is automatically monitored by OCCM.
For CMP Identity (OCCM) certificates:
  1. Check the logs to identify the root cause. The possible cause could be CA connection failure. In this case the operator must manually configure the CMP Identity certificate.
  2. Get the Kubernetes secret name corresponding to OCCM key and certificate location from the mapped issuer. This information is available under the CMP client authentication options for Other Certification section of the issuer.
  3. Create the CMP Identity (OCCM) certificate manually and update the secret.
  4. OCCM will start monitoring the certificate and alert will be automatically cleared.

Delay in Monitoring Certificates for Manual Updates

Problem: Delay in Monitoring Certificates for Manual Updates.

When 200 certificate secrets are modified or deleted then alert and certificate recreation will be attempted. The alert can be delayed by maximum of five minutes to generate the first alert and certificate recreation.

When few or one certificate secrets are modified or deleted then alert and certificate recreation will be attempted. The alert can be delayed by maximum of one minutes to generate the first alert and certificate recreation.

Following are the factors that can delay the alerts:
  • Network delays
  • API server load
  • Watch event buffering

Rolling Back OCCM to Previous Helm Release After Editing Certificate Configuration

Problem: Rolling back OCCM to previous helm release after editing the certificate configuration.

Solution: It is not recommended to perform any configurations during the upgrade and rollback window. However, if any of the certificates are edited after the release is upgraded and a subsequently rolled back to the previous version, the edited certificates must be manually recreated after the rollback.

4.3 OCCM Error Codes

The following are the types of OCCM error codes and their descriptions:

Table 4-1 Kubernetes Secret Error Codes

Error Code Description
ERR_MISSING_Kubernetes_SECRET When the Kubernetes secret is not found for further processing.
ERR_INCORRECT_K8s_SECRET_KEY When the Kubernetes secret doesn't contain the configured key.
ERR_INVALID_K8S_NAMESPACE_FORMAT When the format of Kubernetes namespace doesn't comply with the accepted values. Refer installation guide for regex information.
ERR_INVALID_K8S_SECRET_NAME_FORMAT When the format of Kubernetes secret name doesn't comply with the accepted values. Refer installation guide for regex information.

Table 4-2 Certificate Error Codes

Error Code Description
ERR_OCCM_CERT_NOT_READY NF certificate creation fails with ERR_OCCM_CERT_NOT_READY, if OCCM certificate is not yet created.
ERR_MISSING_CERT_TO_BE_RENEWED When the certificate to be renewed doesn't exist in the Kubernetes secret specified in the configuration.
ERR_RENEW_BEFORE_GREATER_THAN_OR_EQUALS_TO_CERT_ACTUAL_VALIDITY When the renew before period configured ends up being greater than the certificate validity. The renewal is not triggered in this case.
ERR_INVALID_X509_CERT When the certificate received from CA is not a valid X.509 certificate.
ERR_UNABLE_TO_RECREATE When the certificate recreation is unsuccessful.

Table 4-3 Missing mandatory fields in configuration

Error Code Description
ERR_MISSING_MANDATORY_FIELDS_IN_CMP_PROTECTION_SECRET_MAC Either name, namespace, password key or reference key is not provided while configuring MAC secret.
ERR_MISSING_MANDATORY_FIELDS_IN_CMP_PROTECTION_SECRET_SIGNATURE Either name, namespace, key or certificate is not provided while configuring Sign secret.
ERR_MISSING_MANDATORY_FIELDS_IN_PRIVATE_KEY_OUTPUT_LOCATION_CONFIG Missing fields in private key secret output location in certificate configuration.
ERR_MISSING_MANDATORY_FIELDS_IN_CERT_OUTPUT_LOCATION_CONFIG Missing fields in certificate secret output location in certificate configuration.
ERR_MISSING_MANDATORY_FIELDS_IN_CERT_CHAIN_OUTPUT_LOCATION_CONFIG Missing fields in certificate chain secret output location in certificate configuration. Either all fields should be provided or none.
ERR_MISSING_MANDATORY_FIELDS_IN_CA_BUNDLE_SECRET Missing fields in CA bundle input secret in certificate configuration. Either all fields should be provided or none.

Table 4-4 CMP Error Codes

Error Code Description
ERR_CMP_COMMAND_FAILED When CMP command execution fails. It can be during key pair generation, CSR creation or CA interaction.
ERR_CMP_COMMAND_TIMEOUT When CMP command execution doesn't complete within the configured time.

Table 4-5 Private Key Error Codes

Error Code Description
ERR_MISSING_KEY_ALGO When key algorithm is not provided for private key generation.
ERR_MISSING_KEY_SIZE When key size is not provided for RSA key.
ERR_MISSING_ECCURVE When EcCurve is not provided for EC key.

Table 4-6 Invalid Input Error Codes

Error Code Description
ERR_INVALID_DN When the format of DN (recipientDN or issuerDN) doesn't comply with the accepted values. Refer to Oracle Communications Cloud Native Core Certificate Management Installation, Upgrade, and Fault Recovery Guide for regex information.
ERR_INVALID_IP When the IP configured in SAN is not valid.
ERR_INVALID_DNS When the format of DNS (configured in SAN) doesn't comply with the accepted values. Refer installation guide for regex information.
ERR_INVALID_URIIDURN When the format of URN (configured in SAN) doesn't comply with the accepted values. Refer installation guide for regex information.
ERR_SYNTAX_ERROR_IN_URI When the URI (configured in server URL and in SAN) has synatx error.
ERR_INVALID_NAMESPACE When the namespace is not included in the accessed namespace list.

Table 4-7 Miscellaneous Codes

Error Code Description
ERR_MAX_CERT_LIMIT_REACHED When the total number of certificate created exceeds the configured limit.
ERR_MAX_ISSUER_LIMIT_REACHED When the total number of issuers created exceeds the configured limit.
ERR_MAX_NS_LIMIT_REACHED When the total number of namespaces configured exceeds the configured limit.
ERR_CERT_NOT_FOUND When the certificate does not exist for further processing.
ERR_ISSUER_NOT_FOUND When the issuer does not exist for further processing.
ERR_ISSUER_IN_USE When the delete or edit are requested for issuer which is referenced by at least one certificate.
ERR_BULK_CERT_MIGRATION_LIMIT_EXCEEDED When the total number of bulk certificate migrations exceeds the configured limit.

Table 4-8 TLS Codes

Error Code Description
ERR_INVALID_SERVER_URL_SCHEME When TLS is enabled and server URL scheme is other than HTTPS.

OR

When the TLS is disabled but the server URL scheme is HTTPS.
ERR_MISSING_TLS_TRUST_STORE_DATA When TLS is enabled but TLS TrustStore is not provided to validate the server certificate.

Table 4-9 Recreate Codes

Error Code Description
ERR_CERT_ID_MISMATCH The uuid in the request parameter is either blank or does not match the uuid in the certificate configuration.
ERR_RE_CREATE_REQUEST_EXISTS A recreate request has already been received for the uuid.
ERR_CERT_NOT_IN_READY_OR_EXPIRED_STATE The recreate certificate request can't be processed because the certificate is not in either ready or expired status.
ERR_CERT_CONFIG_NOT_EXISTS The certificate configuration does not exist in the certificate configmap.
ERR_CERT_RE_CREATE_REQUEST_IN_PROCESS_RENEW_DELAYED The renew request is delayed because a certificate recreation request is in progress.
ERR_K8S_WATCHER_ERROR Certificate secret monitoring fails.

Table 4-10 Bulk Certificate Migrations Codes

Error Code Description
ERR_BULK_MIGRATE_ALREADY_IN_PROCESS New migration cannot be triggered or deleted when a bulk certificate migration is already inprocess.
ERR_BULK_CERT_MIGRATION_CONFIG_NOT_FOUND Bulk certificate migration configuration can not be found. It might have been deleted or not created.
ERR_CERT_NOT_READY_FOR_BULK_MIGRATE None of the certificates linked to the source issuer are either ready or in the expired state to proceed with bulk certificate migration.

Table 4-11 Edit Certificate Error Codes

Error Code Description
ERR_CERT_EDIT_ALREADY_IN_PROCESS When the previously triggered edit is not yet completed, new edit request will not be accepted.
ERR_INVALID_CERT_EDIT_CONFIG When invalid certificate configuration is sent for edit request.