I have an issue with Certificate from Let's Encrypt in Kubernetes in Azure AKS. It seems to be valid in k8s, but web browsers shows "Kubernetes Ingress Controller Fake Certificate". Following steps from https://cert-manager.io/docs/troubleshooting/ to describe my state:
kubectl get certificates --all-namespaces
NAMESPACE NAME READY SECRET AGE
gap tls-secret True tls-secret 5h29m
kubectl get CertificateRequests --all-namespaces
NAMESPACE NAME APPROVED DENIED READY ISSUER REQUESTOR AGE
gap tls-secret-h8xvm True True letsencrypt-prod system:serviceaccount:ingress-basic:cert-manager 5h31m
kubectl get clusterissuer --all-namespaces
NAME READY AGE
letsencrypt-prod True 5h45m
kubectl describe clusterissuer letsencrypt-prod
...
Spec:
Acme:
Email: aaa@company.com
Preferred Chain:
Private Key Secret Ref:
Name: letsencrypt-prod
Server: https://acme-v02.api.letsencrypt.org/directory
Solvers:
http01:
Ingress:
Class: nginx
Pod Template:
Metadata:
Spec:
Node Selector:
kubernetes.io/os: linux
Status:
Acme:
Last Registered Email: aaa@company.com
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/XXXXXXXX
Conditions:
Last Transition Time: 2022-09-07T15:05:07Z
Message: The ACME account was registered with the ACME server
Observed Generation: 1
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
kubectl get order --all-namespaces
NAMESPACE NAME STATE AGE
gap tls-secret-h8xvm-907122039 valid 5h38m
kubectl describe order -n gap tls-secret-h8xvm-907122039
Spec:
Dns Names:
my.app.com
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt-prod
Request: XXXXXXXXX
Status:
Authorizations:
Challenges:
Token: XXXXXXXXXXX
Type: http-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/XXX/YYY
Identifier: dev01.got-dev.ligenius.app
Initial State: valid
URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/XXX
Wildcard: false
Certificate: XXXXXXX
Finalize URL: https://acme-v02.api.letsencrypt.org/acme/finalize/YYY/ZZZ
State: valid
URL: https://acme-v02.api.letsencrypt.org/acme/order/YYY/ZZZ
Events: <none>
kubectl get challenges --all-namespaces
No resources found
Is it ok that challenge doesn't exist?
Update 1
Ingress definition
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: XXX-chart
labels:
helm.sh/chart: xxx-chart-0.1.0
app.kubernetes.io/name: xxx-chart
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/version: "1.16.0"
app.kubernetes.io/managed-by: Helm
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- "my.app.com"
secretName: tls-secret
rules:
- host: "my.app.com"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: "yyy-svc"
port:
number: 80
- ... more path definition
curl -k https://my.app.com/
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
It looks like ingress nginx return default 404 page, but it shouldn't matter for certificate instalation. The yyy-svc
and other services are up and running.
Kubernetes server 1.22.6
ingress-nginx/controller v1.3.1
cert-manager v1.9.1
Any thought what is misconfigured? Earlier it worked for cert-manager v0.16.1, after upgrade to 1.9.1 and solving https://github.com/cert-manager/cert-manager/issues/3501 it doesn't work anymore.
I found the issue. In Ingress the annotation: kubernetes.io/ingress.class: nginx
was missing. I removed it some time ago because of some changes in cluster and now it's needed again.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.