Certificate Renewal Failure Runbook
Status: Bounded Public Audience: Operators Priority: P1
Objective
Resolve TLS certificate renewal failures for Edge Plane and Edge Lite nodes. Certificate renewal is manual in v1.1 for most cases.
Symptoms
- mTLS handshake failures between agent and control plane
- Certificate expiry warnings in agent logs
x509: certificate has expired or is not yet validerrors- Dashboard shows certificate nearing or past expiry
zen-locklogs show certificate distribution failures- Egress delivery failures with TLS errors
Likely Reason Codes
| Code | Description |
|---|---|
CERT_EXPIRY_DETECTED | Certificate expiry detected but automatic renewal was not triggered |
CERT_CA_UNREACHABLE | cert-manager cannot reach the CA to request renewal |
CERT_CREDENTIAL_INVALID | The credential used for renewal is invalid or revoked |
CERT_REPEATED_FAILURE | Renewal has failed multiple times consecutively |
CERT_ZENLOCK_DISTRIBUTION | ZenLock cannot distribute the renewed certificate to components |
CERT_TRUST_BUNDLE_STALE | The trust bundle used for validation is outdated |
Manual Renewal Required
Certificate renewal is MANUAL_IN_V1_1 for most cases. Automatic certificate rotation is not supported in v1.1. Operators must manually intervene when certificate expiry is detected. For Kubernetes Edge Plane, cert-manager handles automatic renewal (24h default check interval), but failures still require operator intervention. For Edge Lite, no automatic renewal mechanism exists in v1.1.
Safe Checks
- Check certificate expiry dates:
- Kubernetes:
kubectl get certificates -n zen-mesh - Agent logs: search for
x509orcertificateentries
- Kubernetes:
- Verify
cert-managerpod is running:kubectl get pods -n zen-mesh -l app=cert-manager - Check ZenLock pod status:
kubectl get pods -n zen-mesh -l app=zen-lock
- Verify system clock is synchronized (certificate validation depends on accurate time):
timedatectl show --property=NTPSynchronized
- Review certificate renewal logs:
kubectl logs -n zen-mesh -l app=cert-manager --tail=50
Evidence to Collect
- Certificate list and expiry timestamps:
kubectl get certificates -n zen-mesh -o wide
cert-managerlogs (last 100 lines)- ZenLock logs (last 50 lines):
kubectl logs -n zen-mesh -l app=zen-lock --tail=50
- Agent TLS handshake errors from agent logs
opensslverification output:openssl s_client -connect api.zen-mesh.io:443 -showcerts 2>&1- Certificate renewal event history from Kubernetes events:
kubectl get events -n zen-mesh --field-selector reason=Certificate renewal
Corrective Actions
- Expiry detected — Trigger manual certificate renewal through
cert-manageror regenerate certificates:For Edge Lite, regenerate the enrollment bundle from the dashboard (enrollment includes fresh certificate material).kubectl delete certificate -n zen-mesh <certificate-name>kubectl apply -f <certificate-manifest> - CA unreachable — Verify network connectivity between
cert-managerand the CA endpoint. Checkcert-managerissuer configuration. - Credential invalid — Verify the issuer credentials are current. Update or reissue the issuer secret. Check if the issuing account has been rotated or deactivated.
- Repeated failures — Suspend automatic retry and investigate the root cause. Check
cert-managerlogs for the specific failure reason. If the CA is degraded, use a backup CA if available. - ZenLock distribution failure — Verify ZenLock is operational. Restart ZenLock if necessary:
kubectl rollout restart -n zen-mesh deployment/zen-lock
- Trust bundle stale — Re-import the current trust bundle from the control plane. Restart the agent to pick up the updated bundle.
Retry Conditions
- CA endpoint confirmed reachable
- Issuer credentials verified or replaced
- ZenLock confirmed operational
- Trust bundle updated
- Time-synchronization confirmed within 5 minutes of NTP
Stop Conditions
- Certificate renewal confirmed with valid expiry date
- All mTLS handshakes restored
- No further certificate errors in agent logs
cert-managerreportsCertificateReadycondition:True- Error identified as permanent (e.g., issuer account permanently deactivated)
Prohibited Actions
- Direct database mutations
- Bypassing authorization
- Copying credentials between tenants
- Deleting evidence to clear an error
- Uncontrolled repeated retries
- Manually modifying certificate secrets in Kubernetes
- Setting certificate expiry dates to the past to suppress warnings
- Using self-signed certificates for production without authorization
Escalation
If certificate renewal continues to fail after corrective actions, escalate to:
- Internal: #zen-ops Slack channel
- Vendor: zen@zen-mesh.io with evidence bundle attached
- GitHub: File an issue at https://github.com/zenmesh/zen-platform/issues
Include: certificate list, cert-manager logs, ZenLock logs, agent TLS errors, and network trace to CA endpoint.
Recovery Verification
- Certificate expiry date shows future date:
kubectl get certificates -n zen-mesh -o wide
- Agent establishes mTLS connection without error:
kubectl logs -n zen-mesh -l app=zen-agent --tail=20 | grep -i tls
- No
x509errors in any component logs for 5 minutes - Dashboard shows certificate status as valid
- Test event delivery succeeds (if applicable)