1

I don't undestand why i can't get certificates on K8S using cert-manager

  • I installed cert-manager : https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.crds.yaml

  • I created ClusterIssuer

    apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    email: user@example.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: example-issuer-account-key
    solvers:
    - http01:
        ingress:
          class: nginx

  • I created ingress

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt-staging
spec:
  rules:
    - host: mytest.example.fr
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: webapp
                port:
                  number: 80
  tls:
    - hosts:
        - mytest.example.fr
      secretName: letsencrypt-staging

enter image description here

But when i try to get an certificate i get 'no resources found' enter image description here

Any idea ?

Thank you for your help

btbenjamin
  • 593
  • 7
  • 19
  • Which version of Kubernetes did you use and how did you set up your cluster? Did you use bare metal instalation or some cloud provider? Could you attach a yaml file of your ingress? – kkopczak Feb 14 '22 at 20:10
  • K8S version 1.22.2. I just copy my ingress on the post. Im using OVH provider. – btbenjamin Feb 15 '22 at 08:43

2 Answers2

2

If you don't want to create kind certificate you can use

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: cluster-issuer-name
  namespace: development
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: harsh@example.com
    privateKeySecretRef:
      name: secret-name
    solvers:
    - http01:
        ingress:
          class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx-class-name
    cert-manager.io/cluster-issuer: cluster-issuer-name
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: example-ingress
spec:
  rules:
  - host: sub.example.com
    http:
      .
      . #Path and service configs
      .
      .
  tls:
  - hosts:
    - sub.example.com
    secretName: secret-name

ingress will call clusterisser and it will auto-create certificate for you.

Update ingress resources as per need if you are higher version 1.18 or above

Notes

  • Make sure you are using the URL https://acme-v02.api.letsencrypt.org/directory in clusterissue or else you will get fake certificate in browser.

  • For refrence you can read more here : https://stackoverflow.com/a/55183209/5525824

  • Make sure also you ingress pointing to proper clusterissuer if you have created new.

  • Also don't use same privateKeySecretRef:name: secret-name you need to delete it or use the new name as fake certificate now stored in that secret so.

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
  • I respect all your bullet point. but when i call `kubectl get certificates -A` i get **No resources found** – btbenjamin Feb 15 '22 at 16:35
  • Check logs of cert manager and event of clusterissuer by describing resource – Harsh Manvar Feb 15 '22 at 16:38
  • 1
    Thank you for your help you guided me to find my problem. I installed by kubectl apply -f https://github.com/cert-manager/cert-manager.... (But no pod was created) So i install by Helm and now the pods (cert-manager pod) are well created and it works – btbenjamin Feb 16 '22 at 07:54
0

Certificates are not created automatically by cert-manager. You have to create a YAML yourself. And use the issuer name that you have already created

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-certificate
  namespace: default
spec:
  secretName: set-a-new-name-here
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  commonName: mytest.example.fr
  dnsNames:
    - mytest.example.fr
Keval Bhogayata
  • 4,422
  • 3
  • 13
  • 36
  • Thank you, i created it but nothing change, on `kubectl describe certificate` I see the certificat but i always got Https error : *kubernetes ingress controller fake certificate* – btbenjamin Feb 15 '22 at 13:15
  • No i switch with production `letsencrypt-prod` + `https://acme-v02.api.letsencrypt.org/directory` – btbenjamin Feb 15 '22 at 13:18