I am trying to create another Issuer can for another subdomain. I am following this example: Digital Ocean Kubernetes tutorial and in this example the author gives an example for the http://echo.starter-kit.online/ subdomain which I was able to get working using my own subdomain.
I am trying to get this working for the quote.starter-kit.online example by creating a new Issuer like following:
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: quote-letsencrypt-nginx
namespace: backend
spec:
# ACME issuer configuration
# `email` - the email address to be associated with the ACME account (make sure it's a valid one)
# `server` - the URL used to access the ACME server’s directory endpoint
# `privateKeySecretRef` - Kubernetes Secret to store the automatically generated ACME account private key
acme:
email: my#mydomain.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: quote-letsencrypt-nginx-private-key
solvers:
# Use the HTTP-01 challenge provider
- http01:
ingress:
class: nginx
And the following Ingress rule for the quote subdomain:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-quote
namespace: backend
annotations:
cert-manager.io/issuer: letsencrypt-nginx
spec:
tls:
- hosts:
- quote.mydomain.com
secretName: quote-letsencrypt
rules:
- host: quote.mydomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: quote
port:
number: 8080
ingressClassName: nginx
when I do the following:
>kubectl get certificates -n backend
NAME READY SECRET AGE
letsencrypt-nginx True letsencrypt-nginx 5d2h
quote-letsencrypt-nginx False quote-letsencrypt-nginx 2s
I can see the certs. However, when I do the following I see the https is not working:
curl -Li quote.mydomain.com
HTTP/1.1 308 Permanent Redirect
Date: Sun, 02 Jan 2022 23:49:40 GMT
Content-Type: text/html
Content-Length: 164
Connection: keep-alive
Location: https://quote.mydomain.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Try:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-quote
namespace: backend
annotations:
cert-manager.io/issuer: quote-letsencrypt-nginx # <-- changed
spec:
tls:
- hosts:
- quote.mydomain.com
secretName: quote-letsencrypt-tls
rules:
...
Related
Why my "Certificate" object and "Ingress" both are creating Certificates ?
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: blog-app-crt
spec:
secretName: blog-app-crt-sec
issuerRef:
kind: ClusterIssuer
name: letsencrypt-prod
commonName: blog.mydomain.com
dnsNames:
- blog.mydomain.com
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# Email address used for ACME registration
email: myemailid#gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Name of a secret used to store the ACME account private key
name: letsencrypt-production-private-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-service
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /$1
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
spec:
tls:
- hosts:
- blog.mydomain.com
secretName: blog-app-crt-sec
rules:
- host: blog.mydomain.com
http:
paths:
- pathType: Prefix
path: "/?(.*)"
backend:
service:
name: app-1-endpoint
port:
number: 5000
- pathType: Prefix
path: "/tribute/?(.*)"
backend:
service:
name: app-2-endpoint
port:
number: 5001
When I create above objects, it is creating 2 Certificate ojects, both pointing to same secret.
blog-app-crt-sec
blog-app-crt
How can I create Only 1 Certificate ? If I create only a ClusterIssuer without any custom certificate, then of course that will solve the issue, but I want to create a Custom certificate to control the renewal stuff.
There is a component of cert-manager called ingress-shim that watches Ingress resources and automatically creates Certificate objects for you when some annotations are present. This way, you wouldn’t even need to create the Certificate object on your own.
Please check your ingress definition for corresponding cert-manager.io scoped annotations and either use those or the manually created certificate. I assume you refer to the secret named blog-app-crt in your ingress definition. This needs to match what is defined in the cert spec secretName if you don’t use the automated creation!
For details on automatic certificate creation, please check the cert-manager docs on ingress: https://cert-manager.io/docs/usage/ingress/
In your case:
Annotation cert-manager.io/cluster-issuer tells that Ingress for generating certificates to your host (annotation on Ingress configuration plays a big role in the background).
That certificate configuration with kind: Certificate is also telling you to generate the certificate for your host.
You can either choose one of them on your configuration.
The best one for you is to drop that kind: Certificate configuration.
When do we drop the annotation and use the certificate?
For example, you have a.host.com, b.host.com, c.host.com and want to generate a single certificate and use it in multiple places, i.e. either in Ingress or in other TCP SSL configurations.
I followed this instruction to set up a cert manager on my EKS cluster https://cert-manager.io/docs/tutorials/acme/ingress/.
here is my ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- '*.test.com'
secretName: test-tls
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: test-service
port:
number: 80
Here is the issuer. I just copied the config from the instruction
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: info#test.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
After deployment, I found the certificate ready state is false
kubectl get certificate
NAME READY SECRET AGE
test-tls False test-tls 2m45s
Then I followed this to troubleshoot https://cert-manager.io/docs/faq/troubleshooting/
I ran kubectl describe certificaterequest <request name>, found error Waiting on certificate issuance from order test-tls-xxx: "pending"
then ran kubectl describe order test-tls-xxx, found error
Warning Solver 20m cert-manager Failed to determine a valid solver configuration for the set of domains on the Order: no configured challenge solvers can be used for this challenge.
Any idea why it couldn't determine a valid solver? how do I test if solver is working?
It's not working due you are using the staging URL in cluster issuer to verify the image.
Please try with the Production URL.
here a simple and proper example of Clusterissuer and ingress YAML (do note you were trying with staging API https://acme-staging-v02.api.letsencrypt.org/directory if possible use the production server address so it works properly with all browsers)
Example:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: cluster-issuer-name
namespace: development
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: harsh#example.com
privateKeySecretRef:
name: secret-name
solvers:
- http01:
ingress:
class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-class-name
cert-manager.io/cluster-issuer: cluster-issuer-name
nginx.ingress.kubernetes.io/rewrite-target: /
name: example-ingress
spec:
rules:
- host: sub.example.com
http:
paths:
- path: /api
backend:
serviceName: service-name
servicePort: 80
tls:
- hosts:
- sub.example.com
secretName: secret-name
Note : When you are trying again please try deleting the old objects like ingress, Clusterissuer first.
Issuer vs ClusterIssuer
An Issuer is a namespaced resource, and it is not possible to issue
certificates from an Issuer in a different namespace. This means you
will need to create an Issuer in each namespace you wish to obtain
Certificates in.
If you want to create a single Issuer that can be consumed in multiple
namespaces, you should consider creating a ClusterIssuer resource.
This is almost identical to the Issuer resource, however is
non-namespaced so it can be used to issue Certificates across all
namespaces.
Ref : https://cert-manager.io/docs/concepts/issuer/
Wildcard cert
You can use as per requirement, if you are using issuer you can update the ingress annotation line like
cert-manager.io/issuer: issuer-name
If you are trying to get the wildcard * certificate you won't be able to get it using HTTP auth method
solvers:
- http01:
ingress:
class: nginx-class-name
instead of this you have to use the DNS-auth method for wildcard cert.
solvers:
- dns01:
cloudDNS:
project: my-project
serviceAccountSecretRef:
name: prod-clouddns-svc-acct-secret
key: service-account.json
Read more at : https://cert-manager.io/docs/configuration/acme/dns01/
Ref article to get the wildcard cert : https://medium.com/#harsh.manvar111/wild-card-certificate-using-cert-manager-in-kubernetes-3406b042d5a2
I'm trying to install the cert-manager ClusterIssuer on a AKS, and because the cluster is behind Azure Application Gateway I've gone down the route of using a DNS solver rather the HTTP. However, the challenge fails with an error calling the Cloudflare API. I've redacted emails and domains through the code snippets, the output of kubectl describe challenge rabt-cert-tls-g4mcl-1991965707-2468967546 is:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 72s cert-manager Challenge scheduled for processing
Warning PresentError 3s (x5 over 71s) cert-manager Error presenting challenge: Cloudflare API Error for GET "/zones?name=<domain>"
Error: 6003: Invalid request headers<- 6103: Invalid format for X-Auth-Key header
I have followed the guide at https://blog.darkedges.com/2020/05/04/cert-manager-kubernetes-cloudflare-dns-update/ and the issues at https://github.com/jetstack/cert-manager/issues/3021 and https://github.com/jetstack/cert-manager/issues/2384 but can't see any differences beyond the apiVersion of the issuer. I've checked this against the official documentation and there are no changes from what appears in these guides.
The relationship between ingress and cluster issuer seems fine; if I delete and recreate the ingress a new certificate, order and challenge are created. I've verified the secret is populated and I can print it to console, so it shouldn't be sending a blank string in the header. The token is valid, I can use the example CURL request from CloudFlare to check its validity.
Is there somewhere I can see logs and find out exactly what is being sent?
ClusterIssuer
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
namespace: cert-manager
type: Opaque
stringData:
api-token: ${CLOUDFLARE_API_TOKEN}
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: rabt-letsencrypt
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: <email>
# ACME server URL for Let’s Encrypt’s staging environment.
# The staging environment will not issue trusted certificates but is
# used to ensure that the verification process is working properly
# before moving to production
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource used to store the account's private key.
name: rabt-letsencrypt-key
# Enable the HTTP-01 challenge provider
# you prove ownership of a domain by ensuring that a particular
# file is present at the domain
solvers:
- dns01:
cloudflare:
email: <email>
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-key
Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rabt-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: azure/application-gateway
appgw.ingress.kubernetes.io/backend-protocol: https
appgw.ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/cluster-issuer: rabt-letsencrypt
cert-manager.io/acme-challenge-type: dns01
appgw.ingress.kubernetes.io/backend-path-prefix: "/"
spec:
tls:
- hosts:
- "*.rabt.<domain>"
secretName: rabt-cert-tls
rules:
- host: "mq.rabt.<domain>"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: rabt-mq
port:
number: 15672
- host: es.rabt.<domain>
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: rabt-db-es-http
port:
number: 9200
- host: "kibana.rabt.<domain>"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: rabt-kb-http
port:
number: 5601
As Harsh Manvar guessed, it was an issue with the secret. I wasn't running the kubectl apply command through envsubst so it was encoding the literal string "${CLOUDFLARE_API_TOKEN}"
Digging into www, didn't found an answer:
I want to know how I can use cert-manager with haproxy-ingress and lets encrypt.
Any documentation / guidelines?
Deploy Certmanager with:
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.yaml
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.crds.yaml
Deploy a ClusterIssuer (cluster issuers are namespace agnostic)
cat > prod-issuer.yaml <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: email#example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: haproxy
EOF
Apply the cluster issuer with kubectl apply -f prod-issuer.yaml
Create an Ingress Resource (namespace gnostic, this example is using Nginx backend service)
cat > nginx-ingress.yaml <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-router
namespace: production
annotations:
kubernetes.io/ingress.class: "haproxy"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- "example.com"
secretName: nginx-tls-secret
rules:
- host: example.com
http:
paths:
- pathType: ImplementationSpecific
path: "/"
backend:
service:
name: nginx
port:
number: 80
- host: www.example.com
http:
paths:
- pathType: ImplementationSpecific
path: "/"
backend:
service:
name: nginx
port:
number: 80
EOF
Apply the ingress recourse with kubectl apply -f nginx-ingress.yaml
The important piece of information here, is that the Haproxy controller does NOT need the annotation acme.cert-manager.io/http01-edit-in-place: "true"
that nginx-ingress controller does. It works as expected without any extra annotations.
When you apply the Ingress Resourse to the cluster, the certificate will be issued in 1-2 minutes tops.
Use kubectl describe certificate nginx-tls-secret -n production to check the status of the certificate, and look at the event to get the certificate.
For more debugging info incase something went wrong, refer here https://cert-manager.io/docs/faq/acme/
you can try installing cert manager provided by jetstack, can be found here and then you need to follow the steps mentioned in this stackoverflow post and this will get things sorted for you.
An internal acme-challenge will be done by cert manager and once you patch the secret name, mentioned in the certificate to the TLS of ingress then certificate status will get ready state, Note that the secret will get created automatically, you need not create it
I just will describe how it configured on my side. I've installed cert-manger on my Kubernetes by using this tutorial :
https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html
I've checked is it installed and it is :
Also I have ingress-resource with the next config:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
certmanager.k8s.io/acme-http01-edit-in-place: "true"
certmanager.k8s.io/cluster-issuer: letsencrypt-issuer
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$1
name: boonotes-ingress-resource
namespace: default
spec:
rules:
- host: www.bnsfun.com
http:
paths:
- backend:
serviceName: booknotes-front-end-service
servicePort: 80
path: /?(.*)
- host: www.bnsfun.com
http:
paths:
- backend:
serviceName: booknotes-back-end-service
servicePort: 3000
path: /api/?(.*)
tls:
- hosts:
- www.bnsfun.com
secretName: letsencrypt-certs
status:
loadBalancer:
ingress:
- ip: some ip
Also, I've configured the certificate :
kubectl describe certificate booknotes-certificate
Name: booknotes-certificate
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Certificate","metadata":{"annotations":{},"name":"booknotes-certificate","namespace":"...
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-11-17T04:51:57Z
Generation: 2
Resource Version: 7257970
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/booknotes-certificate
UID: fbe1d9c0-08f5-11ea-82b3-42010a80017a
Spec:
Acme:
Config:
Domains:
www.bnsfun.com
http01:
Ingress: boonotes-ingress-resource
Common Name: www.bnsfun.com
Dns Names:
www.bnsfun.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-issuer
Secret Name: letsencrypt-certs
Events: <none>
I've also created a secret:
Here is my sevice & ingress section:
I've used this tutorial to configure it :
https://medium.com/#betandr/kubernetes-ingress-with-tls-on-gke-744efd37e49e
and official documentation of cert-manager to install cert managed. What do I wrong? How can I check why this doesn't work? I've tried a lot of stuff, but all doesn't work for me. For sure I do something wrong. But what? I've understood that I need cert-manager for updating my lets-encrypt certificate, also I need to create secret to store it, then I need configure my ingress in tls and annotaions. Pls could you help me to find out more what should happen there and what are the main steps to complete it? If you need more info , pls let me know
Here is my issuer:
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-issuer
spec:
acme:
email: email
http01: {}
privateKeySecretRef:
name: letsencrypt
server: "https://acme-v02.api.letsencrypt.org/directory"
let's take an another path, Letsencrypt official docs say that they won't be supporting any longer for below 0.8 versions, so I recommend you to install cert-manager provided by Jetstack, that you can find here, to install the helm chart for it.
The follow this stackoverflow post, for configurations, note that if the api version mentioned in that post doesn't support in case of cluster issuer, then rather use
apiVersion: cert-manager.io/v1alpha2
Note that , the tls secret name mentioned in the certificate will be auto-generated by cert-manager, and it automatically starts an acme-challenge to validate the domain, once you patch that secret name to the TLS in your ingress rule.
It shall solve the issue and the certificate's status will change to ready after the domain verification