如何在我的 kubernetes 服务中使用证书管理器 letencrypt-prod？

Question

I have 4 yaml file

1. Deployment.yaml
2. Service.yaml
3. Ingress.yaml
4. issuer.yaml

I want to use letsencrypt-prod for my service for certification . But it doesn't work.

When I use to be sure ingress is working or issuer is working both of them are done!

kubectl get ing

kubectl get issuer

But when I run:

kubectl get cert

Cert is not readt during 2 days . Like below: it creates problem like below. certification is not binding mandrakee.xyz.Mandrakee.xyz looks still not secure! how can I make my website secyre via cert manager? Deployment.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: echo-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: echo-server
  template:
    metadata:
      labels:
        app: echo-server
    spec:
      containers:
      - name: httpapi-host
        image: jmalloc/echo-server
        imagePullPolicy: Always
        resources:
          requests:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 80                                     

Service.yaml:

apiVersion: v1
kind: Service
metadata:
  name: echo-service
spec:
  ports:
    - name: http-port
      port: 80
      targetPort: 8080
  selector:
    app: echo-server

Ingress.yaml:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: ambassador
    cert-manager.io/issuer: letsencrypt-prod
  name: test-ingress
spec:
  tls:
    - hosts:
        - mandrakee.xyz
      secretName: letsencrypt-prod 
  rules:
  - host: mandrakee.xyz
    http:
      paths:
      - backend:
          service:
            name: echo-service
            port: 
              number: 80
        path: /
        pathType: Prefix

issuer.yaml:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: ykaratoprak@sphereinc.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - dns01:
        digitalocean:
          tokenSecretRef:
            name: digitalocean-dns
            key: ce28952b5b4e33ea7d98de190f3148a7cc82d31f030bde966ad13b22c1abc524

Answer 1

If you have setup your issuer correctly, which you have assured us, you will see in your namespace a pod belonging to cert manager. This creates a pod that will validate that the server requesting the certificate resolves to the DNS record.

In your case, you would need to point your DNS towards your ingress.

If this is done successfully, then the next stage of debugging is to validate that both 443 and 80 can be resolved. The Validation Pod created by Cert Manager uses port 80 to validate the communication. A common mistake people make is assuming that they will only use port 443 for ssl and disable 80 for security reasons to find out later that letsencrypt can't validate the hostname without port 80.

Otherwise, the common scenario is that cert-manager is installed in the namespace cert-manager and so you should check the logs of the manager. This will provided a limited amount of logs and can be sometimes cryptic to finding the remedy to your issues.

To find the direct error, the pod spawned by cert-manager in the namespace you have deployed the ingress is a good place to focus.

A test I would run is to setup the ingress with both 80 and 443, if you use your domain from your browser you should get some invalid kubernetes generic certificates response on the port 443 and just "Not Found" on port 80. If this is successful, it rules out the limitation I have mentioned before.