How to replace the "Kubernetes fake certificate" with a wildcard certificate (on bare metal private cloud) Nginx Ingress and cert manager

Question

We have setup a Kubernetes cluster on our bare metal server.

We deploy our application where each namespace is an application for the end customer. ie customer1.mydomain.com -> namespace: cust1

We keep on getting the Kubernetes Ingress Controller Fake Certificate.

We have purchased our own wildcard certificates *.mydomain.com

#kubectl create secret tls OUR-SECRET --key /path/private.key --cert /path/chain.crt -n ingress-nginx
#kubectl create secret tls OUR-SECRET --key /path/private.key --cert /path/chain.crt -n kube-system

ingress.yaml

apiVersion: certmanager.k8s.io/v1alpha1  
kind: Certificate  
metadata:  
  name: ourcloud
  namespace: cert-manager
spec:  
  secretName: oursecret
  issuerRef:
    name: letsencrypt-prod
  commonName: '*.mydomain.com'
  acme:
    config:
    - dns01:
        provider: cf-dns-prod
      domains:
      - '*.mydomain.com'

kubectl apply -f ingress.yaml
certificate.certmanager.k8s.io/ourcloud created

https://cust1.mydomain.com connects with Kubernetes Ingress Controller Fake Certificate

Have you tried following this [guide](https://docs.cert-manager.io/en/latest/tutorials/acme/quick-start/index.html)? — Crou, Apr 15 '19 at 11:53

score 4 · Answer 1 · answered Apr 15 '19 at 13:56

I found the problem. I had the wrong filename in my yaml for the certificate files. Its allways good to look at the ingress logs

kubectl logs nginx-ingress-controller-689498bc7c-tf5 -n ingress-nginx   



kubectl get -o yaml  ingress --all-namespaces

Try to recreate the secrete from files and see if it works.

kubectl delete -n cust4 SECRETNAME

kubectl -n cust4 create secret tls SECRETENAME --key key.key --cert cert.crt

Margach Chris · Answer 2 · 2019-09-10T15:26:59.627

3

If you are using Helm and cert manager, make sure each ingress resource has a different certificate name, these values are usually set from the values file in a helm chart.

tls - secretName: <give certificate name> hosts: example.com

You can check the certificates available using to avoid name collision if you have successfully deployed your ingress resources:

kubectl get certificates

edited Sep 10 '19 at 15:26

answered Sep 01 '19 at 21:24

Margach Chris

1,404
12
20

1

`> kubectl get certificates` -> `error: the server doesn't have a resource type "certificates"` – Ich Sep 06 '19 at 09:02
It means no certificates have been created yet on the server, have you deployed ingress resources yet? `kubectl get ingress` to check – Margach Chris Sep 10 '19 at 15:24
The certificate resources will be automatically created when you deploy your ingress resources. – Margach Chris Sep 10 '19 at 15:32
The `Certificate` resource does not come from NGINX Ingress. Instead, that resource type is installed on your cluster when you install the `cert-manager` service. – Trevor Sullivan Apr 28 '22 at 15:51

How to replace the "Kubernetes fake certificate" with a wildcard certificate (on bare metal private cloud) Nginx Ingress and cert manager

2 Answers2