I can't seem to get cert-manager working:
$ kubectl get certificates -o wide
NAME READY SECRET ISSUER STATUS AGE
example-ingress False example-ingress letsencrypt-prod Waiting for CertificateRequest "example-ingress-2556707613" to complete 6m23s
$ kubectl get CertificateRequest -o wide
NAME READY ISSUER STATUS AGE
example-ingress-2556707613 False letsencrypt-prod Referenced "Issuer" not found: issuer.cert-manager.io "letsencrypt-prod" not found 7m7s
and in the logs i see:
I1025 06:22:00.117292 1 sync.go:163] cert-manager/controller/ingress-shim "level"=0 "msg"="certificate already exists for ingress resource, ensuring it is up to date" "related_resource_kind"="Certificate" "related_resource_name"="example-ingress" "related_resource_namespace"="default" "resource_kind"="Ingress" "resource_name"="example-ingress" "resource_namespace"="default"
I1025 06:22:00.117341 1 sync.go:176] cert-manager/controller/ingress-shim "level"=0 "msg"="certificate resource is already up to date for ingress" "related_resource_kind"="Certificate" "related_resource_name"="example-ingress" "related_resource_namespace"="default" "resource_kind"="Ingress" "resource_name"="example-ingress" "resource_namespace"="default"
I1025 06:22:00.117382 1 controller.go:135] cert-manager/controller/ingress-shim "level"=0 "msg"="finished processing work item" "key"="default/example-ingress"
I1025 06:22:00.118026 1 sync.go:361] cert-manager/controller/certificates "level"=0 "msg"="no existing CertificateRequest resource exists, creating new request..." "related_resource_kind"="Secret" "related_resource_name"="example-ingress" "related_resource_namespace"="default" "resource_kind"="Certificate" "resource_name"="example-ingress" "resource_namespace"="default"
I1025 06:22:00.147147 1 controller.go:129] cert-manager/controller/certificaterequests-issuer-venafi "level"=0 "msg"="syncing item" "key"="default/example-ingress-2556707613"
I1025 06:22:00.147267 1 sync.go:373] cert-manager/controller/certificates "level"=0 "msg"="created certificate request" "related_resource_kind"="Secret" "related_resource_name"="example-ingress" "related_resource_namespace"="default" "resource_kind"="Certificate" "resource_name"="example-ingress" "resource_namespace"="default" "request_name"="example-ingress-2556707613"
I1025 06:22:00.147284 1 controller.go:129] cert-manager/controller/certificaterequests-issuer-acme "level"=0 "msg"="syncing item" "key"="default/example-ingress-2556707613"
I1025 06:22:00.147273 1 conditions.go:200] Setting lastTransitionTime for CertificateRequest "example-ingress-2556707613" condition "Ready" to 2019-10-25 06:22:00.147254385 +0000 UTC m=+603.871617341
I1025 06:22:00.147392 1 conditions.go:200] Setting lastTransitionTime for CertificateRequest "example-ingress-2556707613" condition "Ready" to 2019-10-25 06:22:00.147380513 +0000 UTC m=+603.871743521
E1025 06:22:00.147560 1 pki.go:128] cert-manager/controller/certificates "msg"="error decoding x509 certificate" "error"="error decoding cert PEM block" "related_resource_kind"="Secret" "related_resource_name"="example-ingress" "related_resource_namespace"="default" "resource_kind"="Certificate" "resource_name"="example-ingress" "resource_namespace"="default" "secret_key"="tls.crt"
I1025 06:22:00.147620 1 conditions.go:155] Setting lastTransitionTime for Certificate "example-ingress" condition "Ready" to 2019-10-25 06:22:00.147613112 +0000 UTC m=+603.871976083
I1025 06:22:00.147731 1 controller.go:129] cert-manager/controller/certificaterequests-issuer-ca "level"=0 "msg"="syncing item" "key"="default/example-ingress-2556707613"
I1025 06:22:00.147765 1 conditions.go:200] Setting lastTransitionTime for CertificateRequest "example-ingress-2556707613" condition "Ready" to 2019-10-25 06:22:00.14776244 +0000 UTC m=+603.872125380
I1025 06:22:00.147912 1 controller.go:129] cert-manager/controller/certificaterequests-issuer-selfsigned "level"=0 "msg"="syncing item" "key"="default/example-ingress-2556707613"
I1025 06:22:00.147942 1 conditions.go:200] Setting lastTransitionTime for CertificateRequest "example-ingress-2556707613" condition "Ready" to 2019-10-25 06:22:00.147938966 +0000 UTC m=+603.872301909
I1025 06:22:00.147968 1 controller.go:129] cert-manager/controller/certificaterequests-issuer-vault "level"=0 "msg"="syncing item" "key"="default/example-ingress-2556707613"
I1025 06:22:00.148023 1 conditions.go:200] Setting lastTransitionTime for CertificateRequest "example-ingress-2556707613" condition "Ready" to 2019-10-25 06:22:00.148017945 +0000 UTC m=+603.872380906
i deployed cert-manager via the manifest:
https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager.yaml
$ kubectl get clusterissuer letsencrypt-prod -o yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"cert-manager.io/v1alpha2","kind":"ClusterIssuer","metadata":{"annotations":{},"name":"letsencrypt-prod"},"spec":{"acme":{"email":"me#me.com","privateKeySecretRef":{"name":"letsencrypt-prod"},"server":"https://acme-staging-v02.api.letsencrypt.org/directory","solvers":[{"http01":{"ingress":{"class":"nginx"}},"selector":{}}]}}}
creationTimestamp: "2019-10-25T06:27:06Z"
generation: 1
name: letsencrypt-prod
resourceVersion: "1759784"
selfLink: /apis/cert-manager.io/v1alpha2/clusterissuers/letsencrypt-prod
uid: 05831417-b359-42de-8298-60da553575f2
spec:
acme:
email: me#me.com
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-staging-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: nginx
selector: {}
status:
acme:
lastRegisteredEmail: me#me.com
uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/11410425
conditions:
- lastTransitionTime: "2019-10-25T06:27:07Z"
message: The ACME account was registered with the ACME server
reason: ACMEAccountRegistered
status: "True"
type: Ready
and my ingress is:
$ kubectl get ingress example-ingress -o yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
cert-manager.io/issuer: letsencrypt-prod
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"cert-manager.io/issuer":"letsencrypt-prod","kubernetes.io/ingress.class":"nginx","kubernetes.io/tls-acme":"true"},"name":"example-ingress","namespace":"default"},"spec":{"rules":[{"host":"example-ingress.example.com","http":{"paths":[{"backend":{"serviceName":"apple-service","servicePort":5678},"path":"/apple"},{"backend":{"serviceName":"banana-service","servicePort":5678},"path":"/banana"}]}}],"tls":[{"hosts":["example-ingress.example.com"],"secretName":"example-ingress"}]}}
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
creationTimestamp: "2019-10-25T06:22:00Z"
generation: 1
name: example-ingress
namespace: default
resourceVersion: "1758822"
selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/example-ingress
uid: 921b2e91-9101-4c3c-a0d8-3f871dafdd30
spec:
rules:
- host: example-ingress.example.com
http:
paths:
- backend:
serviceName: apple-service
servicePort: 5678
path: /apple
- backend:
serviceName: banana-service
servicePort: 5678
path: /banana
tls:
- hosts:
- example-ingress.example.com
secretName: example-ingress
status:
loadBalancer:
ingress:
- ip: x.y.z.a
any idea whats wrong? cheers,
Your ingress is referring to an issuer, but the issuer is a ClusterIssuer. Could that be the reason? I have a similar setup with Issuer instead of a ClusterIssuer and it is working.
I have done this implementation, you can follow this way -
Install jetstack from here
Then follow these steps from this stackoverflow post
Make one clusterIssuer or you can make individual issuer too, once you patch the hostname to ingress, then the tls-certificate in that namespace will be autogenerated by Jetstack after the acme-challenge validation
Kindly make sure to map the IP of loadbalancer nginx/traefik etc to DNS/hostname
Related
I am creating certificate using cert-manager (1.6.3). But the issue is , duration and renewBefore is not taking my custom values , instead it is taking the default value (90 days )
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: test-tls-com
namespace: api
spec:
issuerRef:
kind: ClusterIssuer
name: letsencrypt-prod
duration: 10h
renewBefore: 1h
commonName: "*.domain-name.in"
dnsNames:
- "*.domain-name.in"
secretName: test-tls-wild
But when I describe the certificate I can see Renewal Time is not matching
kubectl -n api describe cert test-tls-com
---
Not After: 2022-08-14T15:30:38Z
Not Before: 2022-05-16T15:30:39Z
Renewal Time: 2022-08-14T13:30:38Z <--it is not 1h renewal time
My cluster issuer looks like
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: cert-manager
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: xxx#gmail.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- dns01:
digitalocean:
tokenSecretRef:
name: digitalocean-dns
key: access-token
kubectl version
Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.5", GitCommit:"6b1d87acf3c8253c123756b9e61dac642678305f", GitTreeState:"clean", BuildDate:"2021-03-18T01:10:43Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.11", GitCommit:"38d3c1f3d5306401bcf39a71bad3b5a5106033d7", GitTreeState:"clean", BuildDate:"2022-03-16T14:02:06Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/amd64"}
Using the above configuration I am able to create certificate , but not sure why the Renewal Time is not matching with the duration and renewBefore
Renewal Time is not matching with the duration and renewBefore because The renewBefore and duration fields must be specified using a Go time.Duration string format, which does not allow the d (days) suffix. You must specify these values using s, m, and h suffixes instead.
Duration and RenewBefore should be as below in the YAML file as prescribed by cert-manager; then only it will match with renewal time and duration time.
Example :
duration: 2160h # 90d
renewBefore: 360h # 15d - custom dates we can give .
I am trying to get a certificate issued from Let's Encrypt, and it has been 3 and a half hours.
I accidentally originally set my secretName as "echo-tls" before switching it to the correct "pandaist-tls" that I want to use instead.
I currently have this:
kubectl get CertificateRequest -o wide
NAME READY ISSUER STATUS AGE
pandaist-tls-1926992011 False letsencrypt-prod Waiting on certificate issuance from order default/pandaist-tls-1926992011-2163900139: "pending" 3h26m
When I describe the certificate, I get this:
Deployment kubectl describe CertificateRequest pandaist-tls-1926992011
Name: pandaist-tls-1926992011
Namespace: default
Labels: <none>
Annotations: cert-manager.io/certificate-name: pandaist-tls
cert-manager.io/private-key-secret-name: pandaist-tls
API Version: cert-manager.io/v1alpha2
Kind: CertificateRequest
Metadata:
Creation Timestamp: 2020-04-07T15:41:13Z
Generation: 1
Owner References:
API Version: cert-manager.io/v1alpha2
Block Owner Deletion: true
Controller: true
Kind: Certificate
Name: pandaist-tls
UID: 25c3ff31-447f-4abf-a23e-ec48f5a591a9
Resource Version: 500795
Self Link: /apis/cert-manager.io/v1alpha2/namespaces/default/certificaterequests/pandaist-tls-1926992011
UID: 8295836d-fb99-4ebf-8803-a344d6edb574
Spec:
Csr: ABUNCHOFVALUESTHATIWILLNOTDESCRIBE
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt-prod
Status:
Conditions:
Last Transition Time: 2020-04-07T15:41:13Z
Message: Waiting on certificate issuance from order default/pandaist-tls-1926992011-2163900139: "pending"
Reason: Pending
Status: False
Type: Ready
Events: <none>
And then I look at my logs for my cert-manager pods - here are small slices of each:
I0407 19:01:35.499469 1 service.go:43] cert-manager/controller/challenges/http01/selfCheck/http01/ensureService "level"=0 "msg"="found one existing HTTP01 solver Service for challenge resource" "dnsName"="pandaist.com" "related_resource_kind"="Service" "related_resource_name"="cm-acme-http-solver-2fp58" "related_resource_namespace"="default" "resource_kind"="Challenge" "resource_name"="pandaist-tls-1926992011-2163900139-2157075729" "resource_namespace"="default" "type"="http-01"
I0407 19:01:35.499513 1 service.go:43] cert-manager/controller/challenges/http01/selfCheck/http01/ensureService "level"=0 "msg"="found one existing HTTP01 solver Service for challenge resource" "dnsName"="auth.pandaist.com" "related_resource_kind"="Service" "related_resource_name"="cm-acme-http-solver-xhjsr" "related_resource_namespace"="default" "resource_kind"="Challenge" "resource_name"="pandaist-tls-1926992011-2163900139-832917849" "resource_namespace"="default" "type"="http-01"
I0407 19:01:35.499534 1 ingress.go:91] cert-manager/controller/challenges/http01/selfCheck/http01/ensureIngress "level"=0 "msg"="found one existing HTTP01 solver ingress" "dnsName"="pandaist.com" "related_resource_kind"="Ingress" "related_resource_name"="cm-acme-http-solver-pd9fh" "related_resource_namespace"="default" "resource_kind"="Challenge" "resource_name"="pandaist-tls-1926992011-2163900139-2157075729" "resource_namespace"="default" "type"="http-01"
I0407 19:01:35.499578 1 ingress.go:91] cert-manager/controller/challenges/http01/selfCheck/http01/ensureIngress "level"=0 "msg"="found one existing HTTP01 solver ingress" "dnsName"="auth.pandaist.com" "related_resource_kind"="Ingress" "related_resource_name"="cm-acme-http-solver-b6zr2" "related_resource_namespace"="default" "resource_kind"="Challenge" "resource_name"="pandaist-tls-1926992011-2163900139-832917849" "resource_namespace"="default" "type"="http-01"
E0407 19:03:46.571074 1 sync.go:184] cert-manager/controller/challenges "msg"="propagation check failed" "error"="failed to perform self check GET request 'http://pandaist.com/.well-known/acme-challenge/6Wduj2Ejr59OZ9SFy_Rw4jnozE50xspK-a5OIvCwYsc': Get http://pandaist.com/.well-known/acme-challenge/6Wduj2Ejr59OZ9SFy_Rw4jnozE50xspK-a5OIvCwYsc: dial tcp 178.128.132.218:80: connect: connection timed out" "dnsName"="pandaist.com" "resource_kind"="Challenge" "resource_name"="pandaist-tls-1926992011-2163900139-2157075729" "resource_namespace"="default" "type"="http-01"
E0407 19:03:46.571109 1 sync.go:184] cert-manager/controller/challenges "msg"="propagation check failed" "error"="failed to perform self check GET request 'http://auth.pandaist.com/.well-known/acme-challenge/gO91--fK0SGG15aS3ALOHXXYtCSly2Q9pbVO8OJW2aE': Get http://auth.pandaist.com/.well-known/acme-challenge/gO91--fK0SGG15aS3ALOHXXYtCSly2Q9pbVO8OJW2aE: dial tcp 178.128.132.218:80: connect: connection timed out" "dnsName"="auth.pandaist.com" "resource_kind"="Challenge" "resource_name"="pandaist-tls-1926992011-2163900139-832917849" "resource_namespace"="default" "type"="http-01"
I0407 19:03:46.571382 1 controller.go:135] cert-manager/controller/challenges "level"=0 "msg"="finished processing work item" "key"="default/pandaist-tls-1926992011-2163900139-832917849"
I0407 19:03:46.571528 1 controller.go:129] cert-manager/controller/challenges "level"=0 "msg"="syncing item" "key"="default/pandaist-tls-1926992011-2163900139-832917849"
I0407 19:03:46.571193 1 controller.go:135] cert-manager/controller/challenges "level"=0 "msg"="finished processing work item" "key"="default/pandaist-tls-1926992011-2163900139-2157075729"
I0407 19:03:46.572009 1 controller.go:129] cert-manager/controller/challenges "level"=0 "msg"="syncing item" "key"="default/pandaist-tls-1926992011-2163900139-2157075729"
I0407 19:03:46.572338 1 pod.go:58] cert-manager/controller/challenges/http01/selfCheck/http01/ensurePod "level"=0 "msg"="found one existing HTTP01 solver pod" "dnsName"="auth.pandaist.com" "related_resource_kind"="Pod" "related_resource_name"="cm-acme-http-solver-scqtx" "related_resource_namespace"="default" "resource_kind"="Challenge" "resource_name"="pandaist-tls-1926992011-2163900139-832917849" "resource_namespace"="default" "type"="http-01"
I0407 19:03:46.572600 1 service.go:43] cert-manager/controller/challenges/http01/selfCheck/http01/ensureService "level"=0 "msg"="found one existing HTTP01 solver Service for challenge resource" "dnsName"="auth.pandaist.com" "related_resource_kind"="Service" "related_resource_name"="cm-acme-http-solver-xhjsr" "related_resource_namespace"="default" "resource_kind"="Challenge" "resource_name"="pandaist-tls-1926992011-2163900139-832917849" "resource_namespace"="default" "type"="http-01"
I0407 19:03:46.572860 1 ingress.go:91] cert-manager/controller/challenges/http01/selfCheck/http01/ensureIngress "level"=0 "msg"="found one existing HTTP01 solver ingress" "dnsName"="auth.pandaist.com" "related_resource_kind"="Ingress" "related_resource_name"="cm-acme-http-solver-b6zr2" "related_resource_namespace"="default" "resource_kind"="Challenge" "resource_name"="pandaist-tls-1926992011-2163900139-832917849" "resource_namespace"="default" "type"="http-01"
I0407 19:03:46.573128 1 pod.go:58] cert-manager/controller/challenges/http01/selfCheck/http01/ensurePod "level"=0 "msg"="found one existing HTTP01 solver pod" "dnsName"="pandaist.com" "related_resource_kind"="Pod" "related_resource_name"="cm-acme-http-solver-jn65v" "related_resource_namespace"="default" "resource_kind"="Challenge" "resource_name"="pandaist-tls-1926992011-2163900139-2157075729" "resource_namespace"="default" "type"="http-01"
I0407 19:03:46.573433 1 service.go:43] cert-manager/controller/challenges/http01/selfCheck/http01/ensureService "level"=0 "msg"="found one existing HTTP01 solver Service for challenge resource" "dnsName"="pandaist.com" "related_resource_kind"="Service" "related_resource_name"="cm-acme-http-solver-2fp58" "related_resource_namespace"="default" "resource_kind"="Challenge" "resource_name"="pandaist-tls-1926992011-2163900139-2157075729" "resource_namespace"="default" "type"="http-01"
I0407 19:03:46.573749 1 ingress.go:91] cert-manager/controller/challenges/http01/selfCheck/http01/ensureIngress "level"=0 "msg"="found one existing HTTP01 solver ingress" "dnsName"="pandaist.com" "related_resource_kind"="Ingress" "related_resource_name"="cm-acme-http-solver-pd9fh" "related_resource_namespace"="default" "resource_kind"="Challenge" "resource_name"="pandaist-tls-1926992011-2163900139-2157075729" "resource_namespace"="default" "type"="http-01"
And then here, where I still see echo-tls, despite the fact that I changed my ingress to use pandaist-tls:
I0407 15:34:37.115159 1 controller.go:242] cert-manager/controller-runtime/controller "level"=1 "msg"="Successfully Reconciled" "controller"="validatingwebhookconfiguration" "request"={"Namespace":"","Name":"cert-manager-webhook"}
I0407 15:34:37.118246 1 controller.go:170] cert-manager/inject-controller "level"=1 "msg"="updated object" "resource_kind"="ValidatingWebhookConfiguration" "resource_name"="cert-manager-webhook" "resource_namespace"=""
I0407 15:34:37.118520 1 controller.go:242] cert-manager/controller-runtime/controller "level"=1 "msg"="Successfully Reconciled" "controller"="validatingwebhookconfiguration" "request"={"Namespace":"","Name":"cert-manager-webhook"}
I0407 15:34:37.119415 1 sources.go:176] cert-manager/inject-controller "level"=0 "msg"="Extracting CA from Secret resource" "resource_kind"="ValidatingWebhookConfiguration" "resource_name"="cert-manager-webhook" "resource_namespace"="" "secret"="cert-manager/cert-manager-webhook-tls"
I0407 15:34:37.120959 1 controller.go:170] cert-manager/inject-controller "level"=1 "msg"="updated object" "resource_kind"="MutatingWebhookConfiguration" "resource_name"="cert-manager-webhook" "resource_namespace"=""
I0407 15:34:37.121399 1 controller.go:242] cert-manager/controller-runtime/controller "level"=1 "msg"="Successfully Reconciled" "controller"="mutatingwebhookconfiguration" "request"={"Namespace":"","Name":"cert-manager-webhook"}
I0407 15:34:37.124545 1 controller.go:170] cert-manager/inject-controller "level"=1 "msg"="updated object" "resource_kind"="ValidatingWebhookConfiguration" "resource_name"="cert-manager-webhook" "resource_namespace"=""
I0407 15:34:37.125160 1 controller.go:242] cert-manager/controller-runtime/controller "level"=1 "msg"="Successfully Reconciled" "controller"="validatingwebhookconfiguration" "request"={"Namespace":"","Name":"cert-manager-webhook"}
E0407 16:19:36.762436 1 indexers.go:93] cert-manager/secret-for-certificate-mapper "msg"="unable to fetch certificate that owns the secret" "error"="Certificate.cert-manager.io \"echo-tls\" not found" "certificate"={"Namespace":"default","Name":"echo-tls"} "secret"={"Namespace":"default","Name":"echo-tls"}
E0407 16:19:36.762573 1 indexers.go:93] cert-manager/secret-for-certificate-mapper "msg"="unable to fetch certificate that owns the secret" "error"="Certificate.cert-manager.io \"echo-tls\" not found" "certificate"={"Namespace":"default","Name":"echo-tls"} "secret"={"Namespace":"default","Name":"echo-tls"}
E0407 16:19:36.762753 1 indexers.go:93] cert-manager/secret-for-certificate-mapper "msg"="unable to fetch certificate that owns the secret" "error"="Certificate.cert-manager.io \"echo-tls\" not found" "certificate"={"Namespace":"default","Name":"echo-tls"} "secret"={"Namespace":"default","Name":"echo-tls"}
E0407 16:19:36.762766 1 indexers.go:93] cert-manager/secret-for-certificate-mapper "msg"="unable to fetch certificate that owns the secret" "error"="Certificate.cert-manager.io \"echo-tls\" not found" "certificate"={"Namespace":"default","Name":"echo-tls"} "secret"={"Namespace":"default","Name":"echo-tls"}
My ingress:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: pandaist-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- pandaist.com
- auth.pandaist.com
secretName: pandaist-tls
rules:
- host: pandaist.com
http:
paths:
- backend:
serviceName: pandaist-main
servicePort: 80
- host: auth.pandaist.com
http:
paths:
- backend:
serviceName: pandaist-keycloak
servicePort: 80
This ingress was absolutely applied after the echo one.
Is this just normal certificate approval time (3.5 hours) or did the accidental inclusion of echo-tls mess up my certificate issuance? If so, how do I fix it?
Due to a bug in how load balancers work on Digital Ocean:
https://www.digitalocean.com/community/questions/how-do-i-correct-a-connection-timed-out-error-during-http-01-challenge-propagation-with-cert-manager
This will solve the problem:
kind: Service
apiVersion: v1
metadata:
name: ingress-nginx
annotations:
# See https://github.com/digitalocean/digitalocean-cloud-controller-manager/blob/master/docs/controllers/services/examples/README.md#accessing-pods-over-a-managed-load-balancer-from-inside-the-cluster
service.beta.kubernetes.io/do-loadbalancer-hostname: "kube.mydomain.com"
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
externalTrafficPolicy: Local
type: LoadBalancer
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
ports:
- name: http
port: 80
targetPort: http
- name: https
port: 443
targetPort: https
This might be worthwhile to look at in case #Cecil's solution doesn't work. I was facing similar issue with Connection Timeout
Change LoadBalancer in ingress-nginx service.
Add/Change externalTrafficPolicy: Cluster.
Reason being, pod with the certificate-issuer wound up on a different node than the load balancer did, so it couldn’t talk to itself through the ingress.
Below is complete block taken from https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.26.1/deploy/static/provider/cloud-generic.yaml
kind: Service
apiVersion: v1
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
#CHANGE/ADD THIS
externalTrafficPolicy: Cluster
type: LoadBalancer
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
ports:
- name: http
port: 80
targetPort: http
- name: https
port: 443
targetPort: https
---
I am trying to work with TLS in our Kubernetes cluster.
I've followed MS documentation on "Create an HTTPS ingress controller on Azure Kubernetes Service" (https://learn.microsoft.com/en-us/azure/aks/ingress-tls).
I've deployed a nginx-ingress controller, added the DNS record and installed the cert-manager.
I created a CA ClusterIssuer of SelfSigned and also created the 2 demo applications.
When I created the ingress route, the certificate created automatically and with "True" on the Ready status, but the route is not working - I can't access the demo applications with the host name deployed (https://hello-world-ingress.<Ingress_Service_DNS_Name>).
The Self-Signed ClusterIssuer:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
The Ingress route:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: hello-world-ingress
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /$2
cert-manager.io/cluster-issuer: selfsigned-issuer
spec:
tls:
- hosts:
- hello-world-ingress.<Ingress_Service_DNS_Name>
secretName: tls-secret
rules:
- host: hello-world-ingress.<Ingress_Service_DNS_Name>
http:
paths:
- backend:
serviceName: aks-helloworld
servicePort: 80
path: /(.*)
- backend:
serviceName: aks-helloworld-two
servicePort: 80
path: /hello-world-two(/|$)(.*)
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: hello-world-ingress-static
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /static/$2
cert-manager.io/cluster-issuer: selfsigned-issuer
spec:
tls:
- hosts:
- hello-world-ingress.<Ingress_Service_DNS_Name>
secretName: tls-secret
rules:
- host: hello-world-ingress.<Ingress_Service_DNS_Name>
http:
paths:
- backend:
serviceName: aks-helloworld
servicePort: 80
path: /static(/|$)(.*)
I've created a DNS record on GoDaddy in our domain for <Ingress_Service_DNS_Name> (but with the real name) that points to the external ingress controller service IP Address.
The rest of the installations and deployments are the same as the documentation.
Does anyone has any idea why it's not working?
---------------- Edit ----------------------
Ingress-controller logs:
I0330 06:03:16.780788 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress", UID:"488a4c00-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37375594", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingressI0330 06:03:46.358414 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress-static", UID:"48b91e0e-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37375687", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingress-static
I0330 06:03:46.386930 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress", UID:"488a4c00-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37375688", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingress
I0330 06:04:16.783483 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress", UID:"488a4c00-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37375802", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingress
I0330 06:04:16.788210 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress-static", UID:"48b91e0e-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37375803", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingress-static
I0330 06:04:46.584035 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress", UID:"488a4c00-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37375904", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingress
I0330 06:04:46.587677 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress-static", UID:"48b91e0e-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37375905", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingress-static
I0330 06:05:16.938952 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress", UID:"488a4c00-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37376008", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingress
I0330 06:05:16.938975 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress-static", UID:"48b91e0e-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37376007", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingress-static
I0330 06:05:46.337384 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress-static", UID:"48b91e0e-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37376095", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingress-static
Cert-manager logs:
I0330 06:16:19.953430 1 reflector.go:432] external/io_k8s_client_go/tools/cache/reflector.go:108: Watch close - *v1alpha2.Order total 0 items received
I0330 06:16:19.989382 1 reflector.go:278] external/io_k8s_client_go/tools/cache/reflector.go:108: forcing resync
I0330 06:16:39.861201 1 metrics.go:304] cert-manager/metrics "msg"="attempting to clean up metrics for recently deleted certificates"
I0330 06:16:39.861233 1 metrics.go:307] cert-manager/metrics "msg"="active certificates is still uninitialized"
I0330 06:16:46.353253 1 controller.go:129] cert-manager/controller/ingress-shim "msg"="syncing item" "key"="ingress-basic/hello-world-ingress"
I0330 06:16:46.354661 1 metrics.go:385] cert-manager/metrics "msg"="incrementing controller sync call count" "controllerName"="ingress-shim"
I0330 06:16:46.355124 1 sync.go:163] cert-manager/controller/ingress-shim "msg"="certificate already exists for ingress resource, ensuring it is up to date" "related_resource_kind"="Certificate" "related_resource_name"="tls-secret-selfsigned" "related_resource_namespace"="ingress-basic" "resource_kind"="Ingress" "resource_name"="hello-world-ingress" "resource_namespace"="ingress-basic"
I0330 06:16:46.356804 1 sync.go:176] cert-manager/controller/ingress-shim "msg"="certificate resource is already up to date for ingress" "related_resource_kind"="Certificate" "related_resource_name"="tls-secret-selfsigned" "related_resource_namespace"="ingress-basic" "resource_kind"="Ingress" "resource_name"="hello-world-ingress" "resource_namespace"="ingress-basic"
I0330 06:16:46.357190 1 controller.go:135] cert-manager/controller/ingress-shim "msg"="finished processing work item" "key"="ingress-basic/hello-world-ingress"
I0330 06:16:46.358636 1 controller.go:129] cert-manager/controller/ingress-shim "msg"="syncing item" "key"="ingress-basic/hello-world-ingress-static"
I0330 06:16:46.361782 1 metrics.go:385] cert-manager/metrics "msg"="incrementing controller sync call count" "controllerName"="ingress-shim"
I0330 06:16:46.367596 1 sync.go:163] cert-manager/controller/ingress-shim "msg"="certificate already exists for ingress resource, ensuring it is up to date" "related_resource_kind"="Certificate" "related_resource_name"="tls-secret-selfsigned" "related_resource_namespace"="ingress-basic" "resource_kind"="Ingress" "resource_name"="hello-world-ingress-static" "resource_namespace"="ingress-basic"
I0330 06:16:46.368271 1 sync.go:171] cert-manager/controller/ingress-shim "msg"="certificate resource is not owned by this ingress. refusing to update non-owned certificate resource for ingress" "related_resource_kind"="Certificate" "related_resource_name"="tls-secret-selfsigned" "related_resource_namespace"="ingress-basic" "resource_kind"="Ingress" "resource_name"="hello-world-ingress-static" "resource_namespace"="ingress-basic"
I0330 06:16:46.368424 1 controller.go:135] cert-manager/controller/ingress-shim "msg"="finished processing work item" "key"="ingress-basic/hello-world-ingress-static"
I0330 06:16:47.581355 1 reflector.go:278] external/io_k8s_client_go/tools/cache/reflector.go:108: forcing resync
I0330 06:16:49.383317 1 reflector.go:278] external/io_k8s_client_go/tools/cache/reflector.go:108: forcing resync
The only thing that looks like it can be a problem is in the cert manager logs:
"certificate resource is not owned by this ingress. refusing to update non-owned certificate resource for ingress" "related_resource_kind"="Certificate" "related_resource_name"="tls-secret-selfsigned" "related_resource_namespace"="ingress-basic" "resource_kind"="Ingress" "resource_name"="hello-world-ingress-static" "resource_namespace"="ingress-basic" "
Thanks,
Afik
Based on the information provided a believe that the problem is two ingresses using the same self-signed certificate.
What you trying to achieve here is that you want to manage your certificate from two different places. As the documentation states:
Deploy a TLS Ingress Resource - “There are two primary ways to do
this: using annotations on the ingress with ingress-shim or directly
creating a certificate resource.”
So your hello-world-ingress can use the annotation:
cert-manager.io/cluster-issuer: selfsigned-issuer
But the helo-world-ingress-static cant because the certificate has been already created under secretName: tls-secret.
So from the hello-world-ingress-static you should remove the annotation:
cert-manager.io/cluster-issuer: selfsigned-issuer
Because it creates interest conflict since the secretName is already created and managed by other resource. In this case CertificateRequest from another Ingress.
Let me know if this helps.
At step 3 I got the IP address as follow. And I customized my DNS according to this article
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.51.240.1 <none> 443/TCP 10d
quickstart-nginx-ingress-controller LoadBalancer 10.51.251.156 35.247.160.2 80:30686/TCP,443:32595/TCP 87s
quickstart-nginx-ingress-default-backend ClusterIP 10.51.253.66 <none> 80/TCP 86s
The external IP that is allocated to the ingress-controller is the IP to which all incoming traffic should be routed. To enable this, add it to a DNS zone you control, for example as example.your-domain.com.
This quickstart assumes you know how to assign a DNS entry to an IP address and will do so.
DNS zone
domains.google.com
I can $ curl -kivL -H 'Host: singh.hbot.dev' 'http://singh.hbot.dev'
Here is the output of kuard
* Rebuilt URL to: http://singh.hbot.dev/
* Trying 35.247.160.2...
* TCP_NODELAY set
* Connected to singh.hbot.dev (35.247.160.2) port 80 (#0)
> GET / HTTP/1.1
> Host: singh.hbot.dev
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
HTTP/1.1 308 Permanent Redirect
< Server: nginx/1.15.8
Server: nginx/1.15.8
< Date: Thu, 14 Mar 2019 08:59:24 GMT
Date: Thu, 14 Mar 2019 08:59:24 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 171
Content-Length: 171
< Connection: keep-alive
Connection: keep-alive
< Location: https://singh.hbot.dev/
Location: https://singh.hbot.dev/
<
* Ignoring the response-body
* Connection #0 to host singh.hbot.dev left intact
* Issue another request to this URL: 'https://singh.hbot.dev/'
* Trying 35.247.160.2...
* TCP_NODELAY set
* Connected to singh.hbot.dev (35.247.160.2) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
* start date: Mar 14 08:22:58 2019 GMT
* expire date: Mar 13 08:22:58 2020 GMT
* issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fdf3000e200)
> GET / HTTP/2
> Host: singh.hbot.dev
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
HTTP/2 200
< server: nginx/1.15.8
server: nginx/1.15.8
< date: Thu, 14 Mar 2019 08:59:24 GMT
date: Thu, 14 Mar 2019 08:59:24 GMT
< content-type: text/html
content-type: text/html
< content-length: 1689
content-length: 1689
< vary: Accept-Encoding
vary: Accept-Encoding
< strict-transport-security: max-age=15724800; includeSubDomains
strict-transport-security: max-age=15724800; includeSubDomains
<
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>KUAR Demo</title>
<link rel="stylesheet" href="/static/css/bootstrap.min.css">
<link rel="stylesheet" href="/static/css/styles.css">
<script>
var pageContext = {"hostname":"kuard-79b5d46779-5slz8","addrs":["10.48.2.20"],"version":"v0.8.1-1","versionColor":"hsl(18,100%,50%)","requestDump":"GET / HTTP/1.1\r\nHost: singh.hbot.dev\r\nAccept: */*\r\nUser-Agent: curl/7.54.0\r\nX-Forwarded-For: 10.148.0.49\r\nX-Forwarded-Host: singh.hbot.dev\r\nX-Forwarded-Port: 443\r\nX-Forwarded-Proto: https\r\nX-Original-Uri: /\r\nX-Real-Ip: 10.148.0.49\r\nX-Request-Id: ba73c8e44498c36480ea0d4164279561\r\nX-Scheme: https","requestProto":"HTTP/1.1","requestAddr":"10.48.2.18:41748"}
</script>
</head>
<svg style="position: absolute; width: 0; height: 0; overflow: hidden;" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<defs>
<symbol id="icon-power" viewBox="0 0 32 32">
<title>power</title>
<path class="path1" d="M12 0l-12 16h12l-8 16 28-20h-16l12-12z"></path>
</symbol>
<symbol id="icon-notification" viewBox="0 0 32 32">
<title>notification</title>
<path class="path1" d="M16 3c-3.472 0-6.737 1.352-9.192 3.808s-3.808 5.72-3.808 9.192c0 3.472 1.352 6.737 3.808 9.192s5.72 3.808 9.192 3.808c3.472 0 6.737-1.352 9.192-3.808s3.808-5.72 3.808-9.192c0-3.472-1.352-6.737-3.808-9.192s-5.72-3.808-9.192-3.808zM16 0v0c8.837 0 16 7.163 16 16s-7.163 16-16 16c-8.837 0-16-7.163-16-16s7.163-16 16-16zM14 22h4v4h-4zM14 6h4v12h-4z"></path>
</symbol>
</defs>
</svg>
<body>
<div id="root"></div>
<script src="/built/bundle.js" type="text/javascript"></script>
</body>
</html>
* Connection #1 to host singh.hbot.dev left intact
Proceed on next steps
$ kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml
customresourcedefinition.apiextensions.k8s.io/certificates.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/challenges.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/issuers.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/orders.certmanager.k8s.io created
$
$ kubectl apply \
> -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml
customresourcedefinition.apiextensions.k8s.io/certificates.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/challenges.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/clusterissuers.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/issuers.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/orders.certmanager.k8s.io configured
$
$ kubectl label namespace cert-manager certmanager.k8s.io/disable-validation="true"
namespace/cert-manager labeled
$
$ helm repo add jetstack https://charts.jetstack.io
"jetstack" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Skip local chart repository
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈
install cert-manager
$ helm install --name cert-manager --namespace cert-manager jetstack/cert-manager
NAME: cert-manager
LAST DEPLOYED: Thu Mar 14 16:06:48 2019
NAMESPACE: cert-manager
STATUS: DEPLOYED
RESOURCES:
==> v1/ClusterRole
NAME AGE
cert-manager-edit 3s
cert-manager-view 3s
cert-manager-webhook:webhook-requester 3s
==> v1/Pod(related)
NAME READY STATUS RESTARTS AGE
cert-manager-6f68b58796-w44tn 0/1 ContainerCreating 0 3s
cert-manager-cainjector-67b4696847-l2lhb 0/1 ContainerCreating 0 3s
cert-manager-webhook-6f58884b96-gh52r 0/1 ContainerCreating 0 3s
==> v1/Service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
cert-manager-webhook ClusterIP 10.51.250.12 <none> 443/TCP 3s
==> v1/ServiceAccount
NAME SECRETS AGE
cert-manager 1 3s
cert-manager-cainjector 1 3s
cert-manager-webhook 1 3s
==> v1alpha1/Certificate
NAME AGE
cert-manager-webhook-ca 3s
cert-manager-webhook-webhook-tls 3s
==> v1alpha1/Issuer
NAME AGE
cert-manager-webhook-ca 2s
cert-manager-webhook-selfsign 3s
==> v1beta1/APIService
NAME AGE
v1beta1.admission.certmanager.k8s.io 3s
==> v1beta1/ClusterRole
NAME AGE
cert-manager 3s
cert-manager-cainjector 3s
==> v1beta1/ClusterRoleBinding
NAME AGE
cert-manager 3s
cert-manager-cainjector 3s
cert-manager-webhook:auth-delegator 3s
==> v1beta1/Deployment
NAME READY UP-TO-DATE AVAILABLE AGE
cert-manager 0/1 1 0 3s
cert-manager-cainjector 0/1 1 0 3s
cert-manager-webhook 0/1 1 0 3s
==> v1beta1/RoleBinding
NAME AGE
cert-manager-webhook:webhook-authentication-reader 3s
==> v1beta1/ValidatingWebhookConfiguration
NAME AGE
cert-manager-webhook 2s
NOTES:
cert-manager has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in our documentation:
https://docs.cert-manager.io/en/latest/reference/issuers.html
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
https://docs.cert-manager.io/en/latest/reference/ingress-shim.html
Apply modified staging-issuer.yaml and production-issuer.yaml.
$ kubectl apply -f staging-issuer.yaml
issuer.certmanager.k8s.io/letsencrypt-staging created
$ kubectl apply -f production-issuer.yaml
issuer.certmanager.k8s.io/letsencrypt-prod created
Edit my ingress.yaml and apply it with
kubernetes.io/ingress.class: "nginx"
certmanager.k8s.io/issuer: "letsencrypt-staging"
certmanager.k8s.io/acme-challenge-type: http01
I found the certificate, but when I describe it Events is none!
$ kubectl get certificate
NAME
quickstart-example-tls
$ kubectl describe certificate quickstart-example-tls
Name: quickstart-example-tls
Namespace: default
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-03-14T09:17:11Z
Generation: 1
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: kuard
UID: f30e819b-4639-11e9-a2d5-42010a9400fd
Resource Version: 2243137
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/quickstart-example-tls
UID: f311c99d-4639-11e9-a2d5-42010a9400fd
Spec:
Acme:
Config:
Domains:
singh.hbot.dev
Http 01:
Ingress Class: nginx
Dns Names:
singh.hbot.dev
Issuer Ref:
Kind: Issuer
Name: letsencrypt-staging
Secret Name: quickstart-example-tls
Status:
Conditions:
Last Transition Time: 2019-03-14T09:17:11Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2019-06-12T08:16:05Z
Events: <none>
Then I check secret. The docs says
Once complete, cert-manager will have created a secret with the details of the certificate based on the secret used in the ingress resource. You can use the describe command as well to see some details:
Although I don't have ca.crt. I decided to moved on.
$ kubectl get secret
NAME TYPE DATA AGE
default-token-vnngd kubernetes.io/service-account-token 3 10d
letsencrypt-prod Opaque 1 3d1h
letsencrypt-staging Opaque 1 3d1h
quickstart-example-tls kubernetes.io/tls 3 3d1h
quickstart-nginx-ingress-token-c4tjk kubernetes.io/service-account-token 3 58m
singh-dev-staging-tls kubernetes.io/tls 3 21h
singh-secret kubernetes.io/tls 3 22h
$ kubectl describe secret quickstart-example-tls
Name: quickstart-example-tls
Namespace: default
Labels: certmanager.k8s.io/certificate-name=quickstart-example-tls
Annotations: certmanager.k8s.io/alt-names: singh.hbot.dev
certmanager.k8s.io/common-name: singh.hbot.dev
certmanager.k8s.io/ip-sans:
certmanager.k8s.io/issuer-kind: Issuer
certmanager.k8s.io/issuer-name: letsencrypt-staging
Type: kubernetes.io/tls
Data
====
tls.key: 1675 bytes
ca.crt: 0 bytes
tls.crt: 3545 bytes
Change ingress.yaml to be production and apply.
sixteen:cert-mgr hellohbot$ kubectl apply -f ingress.yaml
ingress.extensions/kuard created
Remove secret
sixteen:cert-mgr hellohbot$ kubectl delete secret quickstart-example-tls
secret "quickstart-example-tls" deleted
sixteen:cert-mgr hellohbot$ kubectl get certificate
NAME
quickstart-example-tls
sixteen:cert-mgr hellohbot$ kubectl describe certificate quickstart-example-tls
Name: quickstart-example-tls
Namespace: default
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-03-14T09:32:45Z
Generation: 1
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: kuard
UID: 1fab9656-463c-11e9-a2d5-42010a9400fd
Resource Version: 2246373
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/quickstart-example-tls
UID: 1facf771-463c-11e9-a2d5-42010a9400fd
Spec:
Acme:
Config:
Domains:
singh.hbot.dev
Http 01:
Ingress Class: nginx
Dns Names:
singh.hbot.dev
Issuer Ref:
Kind: Issuer
Name: letsencrypt-staging
Secret Name: quickstart-example-tls
Status:
Conditions:
Last Transition Time: 2019-03-14T09:34:06Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2019-06-12T08:34:04Z
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Generated 33s cert-manager Generated new private key
Normal GenerateSelfSigned 33s cert-manager Generated temporary self signed certificate
Normal OrderCreated 33s cert-manager Created Order resource "quickstart-example-tls-1671619353"
Normal OrderComplete 6s cert-manager Order "quickstart-example-tls-1671619353" completed successfully
Normal CertIssued 6s cert-manager Certificate issued successfully
Check order
$ kubectl describe order quickstart-example-tls-1671619353
Name: quickstart-example-tls-1671619353
Namespace: default
Labels: acme.cert-manager.io/certificate-name=quickstart-example-tls
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Order
Metadata:
Creation Timestamp: 2019-03-14T09:33:39Z
Generation: 1
Owner References:
API Version: certmanager.k8s.io/v1alpha1
Block Owner Deletion: true
Controller: true
Kind: Certificate
Name: quickstart-example-tls
UID: 1facf771-463c-11e9-a2d5-42010a9400fd
Resource Version: 2246369
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/orders/quickstart-example-tls-1671619353
UID: 3fd25e87-463c-11e9-a2d5-42010a9400fd
Spec:
Config:
Domains:
singh.hbot.dev
Http 01:
Ingress Class: nginx
Csr: MIIC...RQ8=
Dns Names:
singh.hbot.dev
Issuer Ref:
Kind: Issuer
Name: letsencrypt-staging
Status:
Certificate: LS0t...LQo=
Challenges:
Authz URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/CkYZY5sWsaEq0uI2l1D2yyQwAjA1kl0_1uFsVY7UDqk
Config:
Http 01:
Ingress Class: nginx
Dns Name: singh.hbot.dev
Issuer Ref:
Kind: Issuer
Name: letsencrypt-staging
Key: tRxDXBXr_CYcEX1KzU9puQKg1pVZdmEXi7jGWyPAvTs.-kMH8oyhdhqKbua2D8gLPi8FxbeW7rYKBB6w1gMRw2w
Token: tRxDXBXr_CYcEX1KzU9puQKg1pVZdmEXi7jGWyPAvTs
Type: http-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/CkYZY5sWsaEq0uI2l1D2yyQwAjA1kl0_1uFsVY7UDqk/270336074
Wildcard: false
Finalize URL: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/8521062/26692657
State: valid
URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/8521062/26692657
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 4m27s cert-manager Created Challenge resource "quickstart-example-tls-1671619353-0" for domain "singh.hbot.dev"
Normal OrderValid 4m cert-manager Order completed successfully
Solution:
Thanks to Harsh Manvar
Confirm my issuer url from the running issuer
$ kubectl get issuer letsencrypt-prod -o yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Issuer","metadata":{"annotations":{},"name":"letsencrypt-prod","namespace":"default"},"spec":{"acme":{"email":"contact#hbot.io","http01":{},"privateKeySecretRef":{"name":"letsencrypt-prod"},"server":"https://acme-v02.api.letsencrypt.org/directory"}}}
creationTimestamp: "2019-03-14T09:12:11Z"
generation: 1
name: letsencrypt-prod
namespace: default
resourceVersion: "2242148"
selfLink: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/issuers/letsencrypt-prod
uid: 405fa7af-4639-11e9-a2d5-42010a9400fd
spec:
acme:
email: contact#hbot.io
http01: {}
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-v02.api.letsencrypt.org/directory
status:
acme:
uri: https://acme-v02.api.letsencrypt.org/acme/acct/53068205
conditions:
- lastTransitionTime: "2019-03-14T09:12:12Z"
message: The ACME account was registered with the ACME server
reason: ACMEAccountRegistered
status: "True"
type: Ready
Check my ingress
$ kubectl get ingress --all-namespaces
NAMESPACE NAME HOSTS ADDRESS PORTS AGE
default kuard singh.hbot.dev 35.198.217.71 80, 443 43m
$ kubectl describe ingress
Name: kuard
Namespace: default
Address: 35.198.217.71
Default backend: default-http-backend:80 (10.48.0.7:8080)
TLS:
quickstart-example-tls terminates singh.hbot.dev
Rules:
Host Path Backends
---- ---- --------
singh.hbot.dev
/ kuard:80 (<none>)
Annotations:
certmanager.k8s.io/acme-challenge-type: http01
certmanager.k8s.io/issuer: letsencrypt-prod
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"certmanager.k8s.io/acme-challenge-type":"http01","certmanager.k8s.io/issuer":"letsencrypt-prod","kubernetes.io/ingress.class":"nginx"},"name":"kuard","namespace":"default"},"spec":{"rules":[{"host":"singh.hbot.dev","http":{"paths":[{"backend":{"serviceName":"kuard","servicePort":80},"path":"/"}]}}],"tls":[{"hosts":["singh.hbot.dev"],"secretName":"quickstart-example-tls"}]}}
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 43m nginx-ingress-controller Ingress default/kuard
Normal CreateCertificate 43m cert-manager Successfully created Certificate "quickstart-example-tls"
Normal UPDATE 10m (x2 over 43m) nginx-ingress-controller Ingress default/kuard
Normal UpdateCertificate 10m cert-manager Successfully updated Certificate "quickstart-example-tls"
Change issuer to prod
sixteen:cert-mgr hellohbot$ kubectl apply -f ingress.yaml
ingress.extensions/kuard configured
Remove old secret to trigger the process.
sixteen:cert-mgr hellohbot$ kubectl get secret
NAME TYPE DATA AGE
default-token-vnngd kubernetes.io/service-account-token 3 10d
letsencrypt-prod Opaque 1 3d2h
letsencrypt-staging Opaque 1 3d2h
quickstart-example-tls kubernetes.io/tls 3 33m
quickstart-nginx-ingress-token-c4tjk kubernetes.io/service-account-token 3 103m
singh-dev-staging-tls kubernetes.io/tls 3 21h
singh-secret kubernetes.io/tls 3 23h
sixteen:cert-mgr hellohbot$ kubectl delete secret quickstart-example-tls
secret "quickstart-example-tls" deleted
Check the new certificate
sixteen:cert-mgr hellohbot$ kubectl get certificate
NAME
quickstart-example-tls
sixteen:cert-mgr hellohbot$ kubectl describe certificate
Name: quickstart-example-tls
Namespace: default
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-03-14T09:32:45Z
Generation: 1
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: kuard
UID: 1fab9656-463c-11e9-a2d5-42010a9400fd
Resource Version: 2252545
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/quickstart-example-tls
UID: 1facf771-463c-11e9-a2d5-42010a9400fd
Spec:
Acme:
Config:
Domains:
singh.hbot.dev
Http 01:
Ingress Class: nginx
Dns Names:
singh.hbot.dev
Issuer Ref:
Kind: Issuer
Name: letsencrypt-prod
Secret Name: quickstart-example-tls
Status:
Conditions:
Last Transition Time: 2019-03-14T10:06:53Z
Message: Certificate issuance in progress. Temporary certificate issued.
Reason: TemporaryCertificate
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 33m cert-manager Created Order resource "quickstart-example-tls-1671619353"
Normal OrderComplete 33m cert-manager Order "quickstart-example-tls-1671619353" completed successfully
Normal CertIssued 33m cert-manager Certificate issued successfully
Normal Generated 19s (x2 over 33m) cert-manager Generated new private key
Normal GenerateSelfSigned 19s (x2 over 33m) cert-manager Generated temporary self signed certificate
Normal Cleanup 19s cert-manager Deleting old Order resource "quickstart-example-tls-1671619353"
Normal OrderCreated 19s cert-manager Created Order resource "quickstart-example-tls-2367785339"
in ingress you are using issuer as letsencrypt-staging change it to production and also change tls-secrets it will work
Production url for let's encrypt issuer : https://acme-v02.api.letsencrypt.org/directory
in the issuer you have used the staging url of let's encypt staging server change it to production URL and again try to get tls.cert and key it will run with https://
staging certificate some time not work with https and browser give error it is for testing purpose.
cert-manager and nginx ingress and other things are looking perfect as it should have to be.
I followed https://docs.cert-manager.io/en/venafi/tutorials/quick-start/index.html from start to end and everything seems to be working except that I'm not getting an external ip for my ingress.
NAME HOSTS ADDRESS PORTS AGE
staging-site-ingress staging.site.io,staging.admin.site.io, 80, 443 1h
Altough I'm able to use the nginx ingress controller external ip and use dns to access the sites. When I'm going to the urls I'm being redirected to https, so I assume that's working fine.
It redirects to https but still says "not secured", so he don't get a certificate issued.
When I'm debugging I get the following information:
Ingress:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CreateCertificate 54m cert-manager Successfully created Certificate "tls-secret-staging"
Normal UPDATE 35m (x3 over 1h) nginx-ingress-controller Ingress staging/staging-site-ingress
Normal CreateCertificate 23m (x2 over 35m) cert-manager Successfully created Certificate "letsencrypt-staging-tls"
Certificate:
Status:
Conditions:
Last Transition Time: 2019-02-27T14:02:29Z
Message: Certificate does not exist
Reason: NotFound
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 3m (x2 over 14m) cert-manager Created Order resource "letsencrypt-staging-tls-593754378"
Secret:
Name: letsencrypt-staging-tls
Namespace: staging
Labels: certmanager.k8s.io/certificate-name=staging-site-io
Annotations: <none>
Type: kubernetes.io/tls
Data
====
ca.crt: 0 bytes
tls.crt: 0 bytes
tls.key: 1679 bytes
Order:
Status:
Certificate: <nil>
Finalize URL:
Reason:
State:
URL:
Events: <none>
So it seems something goes wrong in order and no challenges are created.
Here are my ingress.yaml and issuer.yaml:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: staging-site-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
certmanager.k8s.io/issuer: "letsencrypt-staging"
certmanager.k8s.io/acme-challenge-type: http01
spec:
tls:
- hosts:
- staging.site.io
- staging.admin.site.io
- staging.api.site.io
secretName: letsencrypt-staging-tls
rules:
- host: staging.site.io
http:
paths:
- backend:
serviceName: frontend-service
servicePort: 80
path: /
- host: staging.admin.site.io
http:
paths:
- backend:
serviceName: frontend-service
servicePort: 80
path: /
- host: staging.api.site.io
http:
paths:
- backend:
serviceName: gateway-service
servicePort: 9000
path: /
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-staging
namespace: staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: hello#site.io
privateKeySecretRef:
name: letsencrypt-staging-tls
http01: {}
Anyone knows what I can do to fix this or what went wrong? Certmanager is installed correctly 100%, I'm just not sure about the ingress and what went wrong in the order.
Thanks in advance!
EDIT: I found this in the nginx-ingress-controller:
W0227 14:51:02.740081 8 controller.go:1078] Error getting SSL certificate "staging/letsencrypt-staging-tls": local SSL certificate staging/letsencrypt-staging-tls was not found. Using default certificate
It's getting spammed & the CPU load is always at 0.003 and the cpu graph is full (the other services are almost nothing)
I stumbled over the same issue once, following exactly the same official tutorial.
As #mikebridge mentioned, the issue is with Issuer/Secret's namespace mismatch.
For me, the best was to switch from Issuer to ClusterIssuer, which is not scoped to a single namespace.
The reason your certificate order is not completing is because the challenge is failing to successfully complete. Review your solver configuration in either your Issuer or ClusterIssuer.
See my answer here for more details.
https://stackoverflow.com/a/75454772/4820940