The cert manager is constantly updating the Certificate causing issues with renewing the certs.
The controller shows error:

"the object has been modified; please apply your changes to the latest version and try again"

Only option is to restart the cert manager controller to reissue the new certificate.

Comment from the customer:

cert-manager operator sometimes fails to complete ACME certificate generation for ingress cert. we have been able to reproduce this several times. destroying the cert-manager pod fixes the problem but this is not desirable. the inital failure seems to be a race condition where a secret is missing:

"Certificate must be re-issued" logger="cert-manager.certificates-trigger" key="openshift-ingress/cert-manager-ingress-cert" reason="DoesNotExist" message="Issuing certificate as Secret does not exist"

the cert-manager logs show that it tries to re-queue but it never tries again:

"re-queuing item due to optimistic locking on resource" logger="cert-manager.certificates-readiness" key="openshift-ingress/cert-manager-ingress-cert" error="Operation cannot be fulfilled on certificates.cert-manager.io \"cert-manager-ingress-cert\": the object has been modified; please apply your changes to the latest version and try again"

I see same errors on my reproducer lab. I see that the controller is constantly updating the status of the certificate.