Monitoring cert-manager certificate renewal
How to monitor when your certificates are nearing their expiry, confirm that cert-manager is renewing them, and verify that dependent certificates are also renewed and related pods are restarted.
CA certificate renewal
If cert-manager renews a CA certificate, you must renew all the certificates that the CA signs. See API Connect TLS certificates reference.
Monitoring when your certificates are due to expire
Check when your certificates are due to expire with the following
command:
kubectl -n <namespace> get certificate -o custom-columns=NAME:metadata.name,DURATION:spec.duration,RenewBEFORE:spec.renewBefore,NotAFTER:status.notAfter
Example
output: NAME DURATION RenewBEFORE NotAFTER
analytics-ingestion-client 17520h0m0s 720h0m0s 2025-08-28T08:25:58Z
api-endpoint 17520h0m0s 720h0m0s 2025-08-28T08:28:40Z
apim-endpoint 17520h0m0s 720h0m0s 2025-08-28T08:28:21Z
The
example output shows that your analytics-ingestion-client
is due to expire at
2025-08-28T08:25:58Z
. The RenewBEFORE
property shows that cert-manager should renew this
certificate 720 hours before it expires.Monitoring the cert-manager manager logs
Monitor the cert-manager logs to confirm when certificates are renewed. Run the following command to display the cert-manager
log:
kubectl logs <cert-manager pod name> -n <cert-manager namespace>
Example
output:I0108 14:23:18.001074 1 controller.go:129] cert-manager/controller/certificates "level"=0 "msg"="syncing item" "key"="default/test-cert"
I0108 14:23:18.009940 1 issue.go:109] cert-manager/controller/certificates/certificates/issue "level"=0 "msg"="certificate issued" "related_resource_kind"="Secret" "related_resource_name"="test-cert" "related_resource_namespace"="default"
I0108 14:23:18.018664 1 sync.go:331] cert-manager/controller/certificates/certificates "level"=0 "msg"="certificate scheduled for renewal" "duration_until_renewal"="-5.018566857s" "related_resource_kind"="Secret" "related_resource_name"="test-cert" "related_resource_namespace"="default"
I0108 14:23:18.019070 1 controller.go:135] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="default/test-cert"
The
4 statements (shown in the example) indicate when a certificate is about to be renewed, and when the
renewal is complete a few seconds later. Tip: Set up a logs-based alerting mechanism
that informs you when cert-manager renews any
certificate.
Pods that require restart after certificate renewal
Some API Connect pods must be restarted when certificates that are used by the pod are renewed. The certificates that require pods to be restarted after renewal are:
analytics-ingestion-client
ora7s-ing-client
. Restartapim
,taskmanager
, andanalytics-proxy
pods on the management subsystem.gateway-client-client
orgw-dr-client
. Restart theapim
andtaskmanager
pods on the management subsystem.analytics-ai-endpoint
ora7s-ai-endpoint
. Restart themtls-gw
pod on the analytics subsystem.