certificate cannot be renewed, error message: "key does not match certificate"

[mbu147]

Hello,

we run an OpenShift cluster in Azure (ARO) with openshift-routes and cert-manager, both deployed as Helm charts via ArgoCD.
cert-manager: v1.14.4
openshift-routes: v0.5.0

When one of our certificates needs to be renewed, it fails with the message "Key does not match certificate".
To work around this problem, we can recreate the entire route from scratch without the old certificate.

cert-manager-openshift-routes/route/sync "msg"="failed to populate route certificate" "error"="key does not match certificate (route: <namespace>/<route name>)" "resourceVersion"="1069859259" "route"={"Namespace":"<namespace>","Name":"<route name>"}

Does anyone already know this error and know how we can fix it?

Thanks!

[of-vincentvandam]

We had the same problem, and ended up removing the orders and certificaterequests resources for these routes. Looking at the code, maybe just removing the cert-manager.io/next-private-key annotation from the route would have worked as well?

[ctml91]

Experienced the same problem.