This bug occurred during local development where a short lived (1 day) Certificate was deemed Ready and not expired after resuming from a laptop sleep state. On resume no new CertificateRequest was made and the certificate was expired.
We were testing on a k3d on a laptop and it was also reproduced on a kind cluster inside a GCP VM suspend.

Expected behaviour:
Expect any skipped reconciliation due to sleep state to occur on resume from sleep ensuring there is no inconsistent certificate.

Steps to reproduce the bug:

• Make a VM with kind/docker
• Install cert-manager
• Make a self signed CA using this manifest
• Make a 1 hour Certificate , used this simple one:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cert-1-hour
  namespace: sandbox
spec:
  isCA: false
  dnsNames:
    - cert-1-hour.local
  privateKey:
    algorithm: RSA
    rotationPolicy: Always
  duration: 1h
  secretName: cert-1-hour
  issuerRef:
    name: my-ca-issuer
    kind: Issuer

• take kind log
• Pause the VM for an hour
• Resume after 1 hour, see the Certificate is "frozen" due to it missing its renewal time, even the 10 hour fixed mechanism to check doesn't catch it so this cert would never renew.

Anything else we need to know?:
Although this is not realistic to happen in prod it can catch people out in development or when trialling cert-manager in their laptops, it doesn't look good when expired certs are not renewed.

Environment details::

• Kubernetes version: 1.26.0

• Cloud-provider/provisioner: k3d/kind (any)

• cert-manager version: (1.12.0)

• Install method: e.g. helm/static manifests
  helm
  /kind bug