Ram
Reputation: 693
Unable to assign certificate using Cert-Manager and NGINX ingress controller in GKE
I am using Nginx Ingress controller(Internal Ingress) and Cert-manger 0.15.1 helm charts. Kubernetes version: 1.14.x
My certificate status is not coming to to True. I have tried using both types of challengers DNS01 and HTTP01. Its the same. Error:
Attaching screen shots[![Kubernetes Ingress Controller Fake Certificate][1]][1]
cluster-issuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: <email>
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
Ingress.yaml
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-devtools-ilb-https
namespace: <>
annotations:
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- domain.con
secretName: create-new-secret
rules:
- host: domain.com
http:
paths:
- path: "/"
backend:
serviceName: hello-service
servicePort: hello-port
- path: "/kube"
backend:
serviceName: hello-kubernetes
servicePort: 80
kubectl describe certificate create-new-secret
Name: create-new-secret
Namespace:
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1alpha2
Kind: Certificate
Metadata:
Creation Timestamp: 2020-07-19T13:30:01Z
Generation: 1
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: <ingress-name>
UID: f0b74bb6-c903-11ea-9960-4201ac100008
Resource Version: 521536
Self Link: /apis/cert-manager.io/v1alpha2/namespaces/<namesapce>/certificates/create-new-secret
UID: f2b63e87-c9c3-11ea-bb3e-4201ac100004
Spec:
Dns Names:
domain.com
Issuer Ref:
Group: cert-manager.io
Kind: Issuer
Name: letsencrypt-staging
Secret Name: create-new-secret
Status:
Conditions:
Last Transition Time: 2020-07-19T13:30:02Z
Message: Waiting for CertificateRequest "create-new-secret-2447513806" to complete
Reason: InProgress
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal GeneratedKey 3m8s cert-manager Generated a new private key
Normal Requested 3m8s cert-manager Created new CertificateRequest resource "create-new-secret-2447513806"
Please help me in resolving this
Upvotes: 1
Views: 516
Answers (2)
Ram
Reputation: 693
I am able to resolve this with the help of DNS01
Letsencrypt-prod certificate issuer ILB
---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: cert-issuer
namespace: <>
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email:
privateKeySecretRef:
name: dns-prod-issuer
solvers:
- selector: {}
dns01:
clouddns:
project: GCP_project_ID
serviceAccountSecretRef:
name: clouddns-dns01-solver-svc-acct
key: key.json
Letsencrypt-prod certificate
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: cert
namespace: <>
spec:
secretName: cert-secret
issuerRef:
name: cert-issuer
kind: Issuer
dnsNames:
- host.domain.com
- www.host.domain.com
Ingress
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-https
namespace: <>
annotations:
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
rules:
- host: host.domain.com
http:
paths:
- path: "'"
backend:
serviceName:
servicePort:
tls:
- hosts:
- host.domain.com
secretName: cert-secret
Upvotes: 0
Mr.KoopaKiller
Reputation: 3962
It happens because you are using staging server from Let's Encrypt.
The staging server is used only for tests, and after you consider it's ok you can move to production servers.
You need to create a new issuer using this examples
After change your ingress annotation to :
cert-manager.io/issuer: "letsencrypt-production"
References:
https://letsencrypt.org/docs/staging-environment/
Upvotes: 0
Related Questions
- Can I use Google Managed Certificate in Google Kubernetes engine with NGINX INGRESS Controller?
- Kubernetes NGINX Ingress Controller not picking up TLS Certificates
- Nginx-Ingress not picking up certificate from cert-manager
- Kubernetes Ingress SSL certificate problem
- Google managed SSL Certificates with Nginx Ingress
- GKE Ingress is not working with cert-manager ssl secrets
- Ingress nginx cert-manager certificate invalid on browser
- Ingress and cert manager are not creating certificate
- Kubernetes cert-manager issue
- Why the certificate is not recognized by the ingress?