kubernetes certs not working with let's encrypt cert-manager

Question

I can't seem to get cert-manager working:

$ kubectl get certificates -o wide
NAME         READY   SECRET       ISSUER        STATUS                                         AGE
tls-secret   False   tls-secret   letsencrypt   Issuing certificate as Secret does not exist   115m

$ kubectl get CertificateRequest -o wide
NAME               READY   ISSUER        STATUS                                                                                        AGE
tls-secret-xxxx   False   letsencrypt   Referenced "ClusterIssuer" not found: clusterissuer.cert-manager.io "letsencrypt" not found   113m

my certificate.yaml is :

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: tls-secret
  namespace: default
spec:
  secretName: tls-secret
  dnsNames:
  - aks-xxxx.xxxxx.xxxx.aksapp.io
  acme:
    config:
    - http01:
        ingress:
          name: xxxxxx
      domains:
      - aks-xxxx.xxxxx.xxxx.aksapp.io
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer

When i get cluster issuers

  $ kubectl get clusterissuers
    No resources found

any idea whats wrong?

Answer 1

You have not created the clusterissuers so it wont be there.

As you have created the certificate you can try the

kubectl get certificate

Your error is clearly saying the issue you have to create the clusterissuers

Referenced "ClusterIssuer" not found: clusterissuer.cert-manager.io "letsencrypt" not found

Cert-manager site : https://cert-manager.io/docs/

Installation : https://cert-manager.io/docs/installation/

in single line just apply :

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml

how to configure & setup the clusterissuer : https://cert-manager.io/docs/configuration/acme/

Example of cluster issuer & ingress

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: cluster-issuer-name
  namespace: development
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: harsh@example.com
    privateKeySecretRef:
      name: secret-name
    solvers:
    - http01:
        ingress:
          class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx-class-name
    cert-manager.io/cluster-issuer: cluster-issuer-name
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: example-ingress
spec:
  rules:
  - host: sub.example.com
    http:
      paths:
      - path: /api
        backend:
          serviceName: service-name
          servicePort: 80
  tls:
  - hosts:
    - sub.example.com
    secretName: secret-name

Answer 2

Try with the latest cert-manager. You'll also need issuer.yaml if you haven't set it up already