Why my "Certificate" object and "Ingress" both are creating Certificates ?
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: blog-app-crt
spec:
secretName: blog-app-crt-sec
issuerRef:
kind: ClusterIssuer
name: letsencrypt-prod
commonName: blog.mydomain.com
dnsNames:
- blog.mydomain.com
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# Email address used for ACME registration
email: myemailid#gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Name of a secret used to store the ACME account private key
name: letsencrypt-production-private-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-service
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /$1
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
spec:
tls:
- hosts:
- blog.mydomain.com
secretName: blog-app-crt-sec
rules:
- host: blog.mydomain.com
http:
paths:
- pathType: Prefix
path: "/?(.*)"
backend:
service:
name: app-1-endpoint
port:
number: 5000
- pathType: Prefix
path: "/tribute/?(.*)"
backend:
service:
name: app-2-endpoint
port:
number: 5001
When I create above objects, it is creating 2 Certificate ojects, both pointing to same secret.
blog-app-crt-sec
blog-app-crt
How can I create Only 1 Certificate ? If I create only a ClusterIssuer without any custom certificate, then of course that will solve the issue, but I want to create a Custom certificate to control the renewal stuff.
There is a component of cert-manager called ingress-shim that watches Ingress resources and automatically creates Certificate objects for you when some annotations are present. This way, you wouldn’t even need to create the Certificate object on your own.
Please check your ingress definition for corresponding cert-manager.io scoped annotations and either use those or the manually created certificate. I assume you refer to the secret named blog-app-crt in your ingress definition. This needs to match what is defined in the cert spec secretName if you don’t use the automated creation!
For details on automatic certificate creation, please check the cert-manager docs on ingress: https://cert-manager.io/docs/usage/ingress/
In your case:
Annotation cert-manager.io/cluster-issuer tells that Ingress for generating certificates to your host (annotation on Ingress configuration plays a big role in the background).
That certificate configuration with kind: Certificate is also telling you to generate the certificate for your host.
You can either choose one of them on your configuration.
The best one for you is to drop that kind: Certificate configuration.
When do we drop the annotation and use the certificate?
For example, you have a.host.com, b.host.com, c.host.com and want to generate a single certificate and use it in multiple places, i.e. either in Ingress or in other TCP SSL configurations.
Related
I am setting up my first K8s cluster in Linode LKE and I have problem getting a trusted certificate from Lets Encrypt. firefox shows unsecure connection with certificate name "Kubernetes Ingress Controller Fake Certificate".
I can't figure out what is missing and how can I troubleshoot this.
Here is my ClusterIssuer and Ingress definitions. I tried the staging and the production acme urls but I couldn't get a trusted certificate.
`
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: example#gmail.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: letsencrypt-staging
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tb-https-loadbalancer
namespace: thingsboard
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
ingressClassName: nginx
tls:
- hosts:
- testing.com
secretName: letsencrypt-staging
rules:
- host: testing.com
http:
paths:
...
I don't undestand why i can't get certificates on K8S using cert-manager
I installed cert-manager : https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.crds.yaml
I created ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: user#example.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: example-issuer-account-key
solvers:
- http01:
ingress:
class: nginx
I created ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-staging
spec:
rules:
- host: mytest.example.fr
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: webapp
port:
number: 80
tls:
- hosts:
- mytest.example.fr
secretName: letsencrypt-staging
But when i try to get an certificate i get 'no resources found'
Any idea ?
Thank you for your help
If you don't want to create kind certificate you can use
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: cluster-issuer-name
namespace: development
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: harsh#example.com
privateKeySecretRef:
name: secret-name
solvers:
- http01:
ingress:
class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-class-name
cert-manager.io/cluster-issuer: cluster-issuer-name
nginx.ingress.kubernetes.io/rewrite-target: /
name: example-ingress
spec:
rules:
- host: sub.example.com
http:
.
. #Path and service configs
.
.
tls:
- hosts:
- sub.example.com
secretName: secret-name
ingress will call clusterisser and it will auto-create certificate for you.
Update ingress resources as per need if you are higher version 1.18 or above
Notes
Make sure you are using the URL https://acme-v02.api.letsencrypt.org/directory in clusterissue or else you will get fake certificate in browser.
For refrence you can read more here :
https://stackoverflow.com/a/55183209/5525824
Make sure also you ingress pointing to proper clusterissuer if
you have created new.
Also don't use same privateKeySecretRef:name: secret-name you
need to delete it or use the new name as fake certificate
now stored in that secret so.
Certificates are not created automatically by cert-manager.
You have to create a YAML yourself. And use the issuer name that you have already created
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-certificate
namespace: default
spec:
secretName: set-a-new-name-here
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
commonName: mytest.example.fr
dnsNames:
- mytest.example.fr
I followed this instruction to set up a cert manager on my EKS cluster https://cert-manager.io/docs/tutorials/acme/ingress/.
here is my ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- '*.test.com'
secretName: test-tls
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: test-service
port:
number: 80
Here is the issuer. I just copied the config from the instruction
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: info#test.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
After deployment, I found the certificate ready state is false
kubectl get certificate
NAME READY SECRET AGE
test-tls False test-tls 2m45s
Then I followed this to troubleshoot https://cert-manager.io/docs/faq/troubleshooting/
I ran kubectl describe certificaterequest <request name>, found error Waiting on certificate issuance from order test-tls-xxx: "pending"
then ran kubectl describe order test-tls-xxx, found error
Warning Solver 20m cert-manager Failed to determine a valid solver configuration for the set of domains on the Order: no configured challenge solvers can be used for this challenge.
Any idea why it couldn't determine a valid solver? how do I test if solver is working?
It's not working due you are using the staging URL in cluster issuer to verify the image.
Please try with the Production URL.
here a simple and proper example of Clusterissuer and ingress YAML (do note you were trying with staging API https://acme-staging-v02.api.letsencrypt.org/directory if possible use the production server address so it works properly with all browsers)
Example:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: cluster-issuer-name
namespace: development
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: harsh#example.com
privateKeySecretRef:
name: secret-name
solvers:
- http01:
ingress:
class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-class-name
cert-manager.io/cluster-issuer: cluster-issuer-name
nginx.ingress.kubernetes.io/rewrite-target: /
name: example-ingress
spec:
rules:
- host: sub.example.com
http:
paths:
- path: /api
backend:
serviceName: service-name
servicePort: 80
tls:
- hosts:
- sub.example.com
secretName: secret-name
Note : When you are trying again please try deleting the old objects like ingress, Clusterissuer first.
Issuer vs ClusterIssuer
An Issuer is a namespaced resource, and it is not possible to issue
certificates from an Issuer in a different namespace. This means you
will need to create an Issuer in each namespace you wish to obtain
Certificates in.
If you want to create a single Issuer that can be consumed in multiple
namespaces, you should consider creating a ClusterIssuer resource.
This is almost identical to the Issuer resource, however is
non-namespaced so it can be used to issue Certificates across all
namespaces.
Ref : https://cert-manager.io/docs/concepts/issuer/
Wildcard cert
You can use as per requirement, if you are using issuer you can update the ingress annotation line like
cert-manager.io/issuer: issuer-name
If you are trying to get the wildcard * certificate you won't be able to get it using HTTP auth method
solvers:
- http01:
ingress:
class: nginx-class-name
instead of this you have to use the DNS-auth method for wildcard cert.
solvers:
- dns01:
cloudDNS:
project: my-project
serviceAccountSecretRef:
name: prod-clouddns-svc-acct-secret
key: service-account.json
Read more at : https://cert-manager.io/docs/configuration/acme/dns01/
Ref article to get the wildcard cert : https://medium.com/#harsh.manvar111/wild-card-certificate-using-cert-manager-in-kubernetes-3406b042d5a2
I Created two files, one is for ClusterIssuer and the Second is for Certificate.
My Domain is an example.com and I need to create a new subdomain with wildcard *.testing.example.com and I already created an entry in Route53 called *.testing.example.com with A record and mapped with nlb.
Below are my profile and which good to me, but I am getting error " msg"="propagation check failed" "error"="DNS record for \"testing.example.com\" not yet propagated"
ClusterIssuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: devops#example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
# example: cross-account zone management for example.com
# this solver uses ambient credentials (i.e. inferred from the environment or EC2 Metadata Service)
# to assume a role in a different account
- selector:
dnsZones:
- "example.com"
dns01:
route53:
region: ap-south-1
hostedZoneID: 71MYVttggee
role: arn:aws:iam::123456:role/dns-manager
Certificate.yaml
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: example-cert
spec:
secretName: acme-crt
issuerRef:
kind: ClusterIssuer
name: letsencrypt-prod
commonName: testing.example.com
dnsNames:
- '*.testing.example.com'
acme:
config:
- dns01:
provider: route53
domains:
- '*.testing.example.com'
What you have is correct, you just need to wait for DNS propagation so that the verification records can be checked by LetsEncrypt.
You have to use the method of DNS-01 for verification auth.
You can use the issuer
https://cert-manager.io/docs/configuration/acme/dns01/
however, you also have to create one another YAML for certificate
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: le-crt
spec:
secretName: tls-secret
issuerRef:
kind: Issuer
name: letsencrypt-prod
commonName: "*.example.in"
dnsNames:
- "*.example.in"
above yaml certificate will point to issuer that you created and as you get the certificate it will be get stored into the kubernetes secret name as : tls-secret
You can inject or use this secret on the ingress.
Also if you are facing the 403 error of CAA record please add the CAA record in the DNS zone first same we add the A or CNAME record.
For more ref : https://stackoverflow.com/a/68476135/5525824
I just will describe how it configured on my side. I've installed cert-manger on my Kubernetes by using this tutorial :
https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html
I've checked is it installed and it is :
Also I have ingress-resource with the next config:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
certmanager.k8s.io/acme-http01-edit-in-place: "true"
certmanager.k8s.io/cluster-issuer: letsencrypt-issuer
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$1
name: boonotes-ingress-resource
namespace: default
spec:
rules:
- host: www.bnsfun.com
http:
paths:
- backend:
serviceName: booknotes-front-end-service
servicePort: 80
path: /?(.*)
- host: www.bnsfun.com
http:
paths:
- backend:
serviceName: booknotes-back-end-service
servicePort: 3000
path: /api/?(.*)
tls:
- hosts:
- www.bnsfun.com
secretName: letsencrypt-certs
status:
loadBalancer:
ingress:
- ip: some ip
Also, I've configured the certificate :
kubectl describe certificate booknotes-certificate
Name: booknotes-certificate
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Certificate","metadata":{"annotations":{},"name":"booknotes-certificate","namespace":"...
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-11-17T04:51:57Z
Generation: 2
Resource Version: 7257970
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/booknotes-certificate
UID: fbe1d9c0-08f5-11ea-82b3-42010a80017a
Spec:
Acme:
Config:
Domains:
www.bnsfun.com
http01:
Ingress: boonotes-ingress-resource
Common Name: www.bnsfun.com
Dns Names:
www.bnsfun.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-issuer
Secret Name: letsencrypt-certs
Events: <none>
I've also created a secret:
Here is my sevice & ingress section:
I've used this tutorial to configure it :
https://medium.com/#betandr/kubernetes-ingress-with-tls-on-gke-744efd37e49e
and official documentation of cert-manager to install cert managed. What do I wrong? How can I check why this doesn't work? I've tried a lot of stuff, but all doesn't work for me. For sure I do something wrong. But what? I've understood that I need cert-manager for updating my lets-encrypt certificate, also I need to create secret to store it, then I need configure my ingress in tls and annotaions. Pls could you help me to find out more what should happen there and what are the main steps to complete it? If you need more info , pls let me know
Here is my issuer:
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-issuer
spec:
acme:
email: email
http01: {}
privateKeySecretRef:
name: letsencrypt
server: "https://acme-v02.api.letsencrypt.org/directory"
let's take an another path, Letsencrypt official docs say that they won't be supporting any longer for below 0.8 versions, so I recommend you to install cert-manager provided by Jetstack, that you can find here, to install the helm chart for it.
The follow this stackoverflow post, for configurations, note that if the api version mentioned in that post doesn't support in case of cluster issuer, then rather use
apiVersion: cert-manager.io/v1alpha2
Note that , the tls secret name mentioned in the certificate will be auto-generated by cert-manager, and it automatically starts an acme-challenge to validate the domain, once you patch that secret name to the TLS in your ingress rule.
It shall solve the issue and the certificate's status will change to ready after the domain verification