Error: Your connection is not private

If your getting a TLS error for a service leveraging kube-lego, then try deleting the TLS secret to let kube-lego generate a new one.


We’re using kube-lego together with the standard nginx ingress controller for kubernetes. The site was working fine with TLS, but after we changed the hostname and redeployed, we started getting the following error.

TLS Privacy Error


This may be caused by a stale kube-lego secret which is used to store the Let’s Encrypt certificates. If the secret was previously created with a different hostname, kube-lego doesn’t seem to realize that it should regenerate it. Try deleting the secret containing the TLS certificates for your service. After this, kube-lego should automatically regenerate the certificates. Worst case, redeploy your service after deleting the secret.


If the service was deployed as part of a helm chart, then deleting the release will not be sufficient to delete the kube-lego secret. This is because the secret is not created by the helm chart, but by kube-lego. Manually delete the TLS secret containing the kube-lego certificates for your service.

Other Considerations

  • Make sure that external-dns is working and that all public DNS names are resolvable. Let’s Encrypt makes a request to /.well-known/acme-challenge, so functioning DNS is a requirement.
  • Make sure that Let’s Encrypt API limits haven’t been reached. Tailing the logs of kube-lego will provide more information about what’s going on.

Troubleshooting Resources