I'm trying to set up an ingress with TLS and an automatically provisioned certificate as per the instructions here for a new AKS deployment.
I initially configured all this but failed to get the static IP address assigned to the LB because I used an older script to create the IP address with the wrong SKU. After fixing the IP address I tried to re-create the cluster issuer, ingress and certificate using the production server without success. The Error I see in the order from the following kubectl command:
kubectl describe order ao-tls-secret-12341234-12341234
Reason: Failed to finalize Order: 400 urn:ietf:params:acme:error:malformed: Error finalizing order :: certificate public key must be different than account key
I tried to switch over to the letsencrypt staging server and received a certificate back right away. Switched back to the production server and it's hanging again.
As the error says, you shouldn't be using the same secretName for both the Let's Encrypt account private key (the one referenced by issuer.spec.acme.privateKeySecretRef) as well as the Certificate's actual certificate (ingress.spec.tls[].secretName).
Usually, you'd name your account private key secret something more like letsencrypt-staging-private-key and name your ingresses certificate something similar to what you've got now (e.g. vs-portal-tls-secret).
The Issuer private key is used to identify your ACME account with the ACME server, and it has no relation to the private key that is used to serve with.