Reputation: 387
cert-manager issuing too many same certificates when a multi-domains ingress is updated
We're using kubernetes with ingresses, cert-manager (v1.9.1) and the letsencrypt issuer. Our use case is the following: We have a multitenant solution with 3 services that allows people to change their domain names (1 for each service). Each time someone is changing a domain name, it triggers the update of the ingress related to the service. This update triggers the generation of a new order by the cert manager.
We meet 2 issues:
- When someone is changing one domain name (making it replaced in the spec.tls[] and spec.rules[] sections of the ingress), the order created seems to regenerate all the letsencrypt certificates from the ingress and not only the one changed (which leads to the letsencrypt issue "too many certificates already issued" after some tries).
- When one of the certificates of an order has an error (due to the previous issue, "too many certificates already issued"), the other certificates in the order (that do normally not have any problem) seem not to be generated either.
What would be the best strategy to avoid these issues with our use case? (Maybe we would have to create one ingress by domain name? Or is there a way to have one order by certificate and not to trigger the regeneration of existing certificates on the update of an ingress?)
--- EDITED ---
Here is the ingress (with {hidden} fields and renaming for privacy):
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: server-ingress
namespace: {hidden}
annotations:
cert-manager.io/issuer: letsencrypt-prod
spec:
ingressClassName: nginx
tls:
- hosts:
- test1.customer-domain.fr
- test1.our-company.com
- test2.our-company.com
secretName: our-company-server-tls
rules:
- host: test1.customer-domain.fr
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: server-v3-24-5
servicePort: 8080
- host: test1.our-company.com
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: server-v3-24-5
servicePort: 8080
- host: test2.our-company.com
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: server-v3-24-5
servicePort: 8080
status:
loadBalancer:
ingress:
- ip: {hidden}
Thank you,
Upvotes: 1
Views: 2151
Answers (1)
Reputation: 60046
The order created seems to regenerate all the letsencrypt certificates from the ingress and not only the one changed
Based on the discussion, This is because you are using the same secret name for all the ingress, you need to have a different secret name for each host in TLS in the ingress and this way it will not recreate all certs order.
So this should work,
tls:
- secretName: test1.customer-domain.fr
hosts:
- test1.customer-domain.fr
- secretName: test1.our-company.com
hosts:
- test1.our-company.com
rules:
- host: test1.customer-domain.fr
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: server-v3-24-5
servicePort: 8080
- host: test1.our-company.com
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: server-v3-24-5
servicePort: 8080
Upvotes: 2
Related Questions
- CertManager Letsencrypt CertificateRequest "failed to perform self check GET request"
- Nginx-Ingress not picking up certificate from cert-manager
- How to use cert-manager with nginx ingress controller and avoid "host collusion" issue?
- Different hosts (Pods in Kubernetes) responds with different certificate for the same hostname
- Wildcard Let's Encrypt certificates with cert-manager, nginx ingress, cloudflare in kubernetes how to fix?
- Why is my k8s Nginx ingress controller serving two certificates (one of which is a Kubernetes Fake Certificate)?
- Ingress nginx cert-manager certificate invalid on browser
- Ingress and cert manager are not creating certificate
- Kubernetes cert-manager issue
- cert-manager is creating new ingress with acme responder instead of modifying the existing