'Is the annotation cert-manager.io/cluster-issuer: acme-issuer enough to generate a TLS certificate?
From the cert-manager doc: adding the annotation cert-manager.io/cluster-issuer: acme-issuer to an Ingress object should trigger the shim, request a certificate to this issuer, and store the certificate (without any namespace ?) (with which name?).
I tried this and it does nothing. Adding a tls: section to the yaml definition of the Ingress does trigger the shim, request a certificate and store it in the same namespace as the Ingress.
This means the doc is incorrect, or should it really work without a tls: section ?
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: acme-issuer
spec:
acme:
email: [email protected]
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: example-issuer-account-key
solvers:
- http01:
ingress:
class: nginx
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: acme-issuer
kubernetes.io/ingress.class: nginx
name: my-ingress-name
namespace: mynamespace
spec:
rules:
- host: some.domain.eu
http:
paths:
- backend:
serviceName: my-service-name
servicePort: 5000
path: /
tls:
- hosts:
- some.domain.eu
secretName: secret-storage-key-for-tls-cert
Solution 1:[1]
If you created the issuer correctly, then you need to create a Certificate, so the issuer can issue the certificate using the information you have in the Certificate resource, and populate the secret:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: certname
spec:
secretName: secretName
issuerRef:
name: letsencrypt-prod
commonName: <the CN>
dnsNames:
- <name>
Once you have this resource, it should create a secret containing the TLS certificates, and store it in secretName.
Solution 2:[2]
I'm using like you, and that create my TLS ok. But the name of privateKeySecretRef is igual ClusterIssuer name. The tls section is needed on ingress.
Using:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected]
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
Chek the certificate status to debug:
kubectl get certificate -o wide
If the status CertificateRequest
kubectl get CertificateRequest -o wide
Solution 3:[3]
i do not know if you resolved your issue but try to check the following:
- Check if your ingressClass is indeed
nginx(kubectl get ingressClass) - If you are using only one ingressClass and there is no other ingress-controller installed on your cluster you may not need to specify the class name
- Also which version of cert-manager are you using? I know the annotations has been changed, so if you have a very old cert-manager, the annotation may not be the correct one.
- Once you create the ingress, check if you have an acme-pod and ingress created for the HTTP01 challenge verification and also check the status of the
certificate,CertificateRequest,OrderandChallenge( e.g:kubectl describe certificate <your_certificate_object>) - Also check on the cert-manager logs to see if there any other issues happening.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Burak Serdar |
| Solution 2 | Newton José |
| Solution 3 | dcardozo |