注释 cert-manager.io/cluster-issuer: acme-issuer 是否足以生成 TLS 证书？

Question

From the cert-manager doc: adding the annotation cert-manager.io/cluster-issuer: acme-issuer to an Ingress object should trigger the shim, request a certificate to this issuer, and store the certificate (without any namespace?) (with which name?).

I tried this and it does nothing. Adding a tls: section to the yaml definition of the Ingress does trigger the shim, request a certificate and store it in the same namespace as the Ingress .

This means the doc is incorrect, or should it really work without a tls: section?

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: acme-issuer
spec:
  acme:
    email: user@example.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: example-issuer-account-key
    solvers:
    - http01:
        ingress:
          class: nginx

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: acme-issuer
    kubernetes.io/ingress.class: nginx
  name: my-ingress-name
  namespace: mynamespace
spec:
  rules:
  - host: some.domain.eu
    http:
      paths:
      - backend:
          serviceName: my-service-name
          servicePort: 5000
        path: /
  tls:
  - hosts:
    - some.domain.eu
    secretName: secret-storage-key-for-tls-cert

Answer 1

If you created the issuer correctly, then you need to create a Certificate, so the issuer can issue the certificate using the information you have in the Certificate resource, and populate the secret:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: certname
spec:
  secretName: secretName
  issuerRef:
    name: letsencrypt-prod
  commonName: <the CN>
  dnsNames:
  - <name>

Once you have this resource, it should create a secret containing the TLS certificates, and store it in secretName .

Answer 2

I'm using like you, and that create my TLS ok. But the name of privateKeySecretRef is igual ClusterIssuer name. The tls section is needed on ingress .

Using:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: my@email.com
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
      - http01:
          ingress:
            class: nginx

Chek the certificate status to debug:

kubectl get certificate -o wide

If the status CertificateRequest

kubectl get CertificateRequest -o wide

Answer 3

i do not know if you resolved your issue but try to check the following:

• Check if your ingressClass is indeed nginx ( kubectl get ingressClass )
• If you are using only one ingressClass and there is no other ingress-controller installed on your cluster you may not need to specify the class name
• Also which version of cert-manager are you using? I know the annotations has been changed, so if you have a very old cert-manager, the annotation may not be the correct one.
• Once you create the ingress, check if you have an acme-pod and ingress created for the HTTP01 challenge verification and also check the status of the certificate , CertificateRequest , Order and Challenge ( eg: kubectl describe certificate <your_certificate_object> )
• Also check on the cert-manager logs to see if there any other issues happening.