skip to Main Content

I don’t undestand why i can’t get certificates on K8S using cert-manager

  • I installed cert-manager : https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.crds.yaml

  • I created ClusterIssuer

    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
      name: letsencrypt-staging
    spec:
      acme:
        email: [email protected]
        server: https://acme-staging-v02.api.letsencrypt.org/directory
        privateKeySecretRef:
          name: example-issuer-account-key
        solvers:
        - http01:
            ingress:
              class: nginx
    
  • I created ingress

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      annotations:
        kubernetes.io/ingress.class: nginx
        cert-manager.io/cluster-issuer: letsencrypt-staging
    spec:
      rules:
        - host: mytest.example.fr
          http:
            paths:
              - path: /
                pathType: Prefix
                backend:
                  service:
                    name: webapp
                    port:
                      number: 80
      tls:
        - hosts:
            - mytest.example.fr
          secretName: letsencrypt-staging
    

enter image description here

But when i try to get an certificate i get ‘no resources found’
enter image description here

Any idea ?

Thank you for your help

2

Answers


  1. Certificates are not created automatically by cert-manager.
    You have to create a YAML yourself. And use the issuer name that you have already created

    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: my-certificate
      namespace: default
    spec:
      secretName: set-a-new-name-here
      issuerRef:
        name: letsencrypt-staging
        kind: ClusterIssuer
      commonName: mytest.example.fr
      dnsNames:
        - mytest.example.fr
    
    Login or Signup to reply.
  2. If you don’t want to create kind certificate you can use

    apiVersion: cert-manager.io/v1alpha2
    kind: ClusterIssuer
    metadata:
      name: cluster-issuer-name
      namespace: development
    spec:
      acme:
        server: https://acme-v02.api.letsencrypt.org/directory
        email: [email protected]
        privateKeySecretRef:
          name: secret-name
        solvers:
        - http01:
            ingress:
              class: nginx-class-name
    ---
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      annotations:
        kubernetes.io/ingress.class: nginx-class-name
        cert-manager.io/cluster-issuer: cluster-issuer-name
        nginx.ingress.kubernetes.io/rewrite-target: /
      name: example-ingress
    spec:
      rules:
      - host: sub.example.com
        http:
          .
          . #Path and service configs
          .
          .
      tls:
      - hosts:
        - sub.example.com
        secretName: secret-name
    

    ingress will call clusterisser and it will auto-create certificate for you.

    Update ingress resources as per need if you are higher version 1.18 or above

    Notes

    • Make sure you are using the URL https://acme-v02.api.letsencrypt.org/directory in clusterissue or else you will get fake certificate in browser.

    • For refrence you can read more here :
      https://stackoverflow.com/a/55183209/5525824

    • Make sure also you ingress pointing to proper clusterissuer if
      you have created new.

    • Also don’t use same privateKeySecretRef:name: secret-name you
      need to delete it or use the new name as fake certificate
      now stored in that secret so.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search