Microk8s/Kubernetes does not use the Let's Encrypt auto-generated certificate
Question
Having the following k8s config:
---
kind: Namespace
apiVersion: v1
metadata:
name: test
labels:
name: test
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: test
name: test-depl
spec:
selector:
matchLabels:
app: test-app
template:
metadata:
labels:
app: test-app
spec:
containers:
- name: test-app
image: jfsanchez91/http-test-server
---
apiVersion: v1
kind: Service
metadata:
namespace: test
name: test-svc
spec:
selector:
app: test-app
ports:
- name: test-app
protocol: TCP
port: 80
targetPort: 8090
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
namespace: test
name: letsencrypt-cert-issuer-test-staging
spec:
acme:
email: email@example.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-cert-issuer-test-staging
solvers:
- http01:
ingress:
class: public
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
namespace: test
name: letsencrypt-cert-issuer-test-prod
spec:
acme:
email: email@example.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-cert-issuer-test-prod
solvers:
- http01:
ingress:
class: public
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: test
name: ingress-routes
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-cert-issuer-test-prod"
spec:
tls:
- hosts:
- test.example.com
secretName: tls-secret
rules:
- host: test.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: test-svc
port:
number: 80
The Let's Encrypt certificate is being issued and stored in tls-secret correctly. But then when I try to open test.example.com I get an invalid certificate (the K8s default certificate) NET::ERR_CERT_AUTHORITY_INVALID .
Common Name (CN): Kubernetes Ingress Controller Fake Certificate
Organization (O): Acme Co
Q: How can I configure Ingress correctly to use the Let's Encrypt certificate?
Q: Is there anything else I should configure?
UPDATE: tls-secret type (kubernetes.io/tls):
$ kubectl -n test describe secrets tls-secret
Name: tls-secret
Namespace: test
Labels: <none>
Annotations: cert-manager.io/alt-names: test.example.com
cert-manager.io/certificate-name: tls-secret
cert-manager.io/common-name: test.example.com
cert-manager.io/ip-sans:
cert-manager.io/issuer-group: cert-manager.io
cert-manager.io/issuer-kind: ClusterIssuer
cert-manager.io/issuer-name: letsencrypt-cert-issuer-test-prod
cert-manager.io/uri-sans:
Type: kubernetes.io/tls
Data
====
tls.key: 1679 bytes
tls.crt: 5599 bytes
1 answers
solution1
0 2022-09-21 08:54:55
I'd recommand setting the certificate your self in order to have more control on subdomains to include and renewal policy
kubectl -n $NAMESPACE apply -f certificate.yaml
For example, for a DNS hosted on Azure DNS zone
#certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cert-wildcard
spec:
duration: 2160h # 90d
renewBefore: 360h # 15d
secretName: cert-wildcard
issuerRef: #from issuer.yaml
name: letsencrypt-prod
kind: ClusterIssuer
commonName: domain.com # go to domaine, go to certificate, go to Details, go to Common Name
dnsNames: #list of all different domains associeted with the certificate
- domain.com
- sub.domain.com
acme:
config:
- dns01:
provider: azure-dns
domains:
- domain.com
- sub.domain.com
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.