Cannot obtain letsencrypt certificate with ClusterIssuer
Hello,
I’ve created brand new cluster to deploy some node.js services. I followed up on the following tutorial:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-on-digitalocean-kubernetes-using-helm
Unfortunately I have some issues with “Step 4 — Securing the Ingress Using Cert-Manager”.
What I did
I’ve manually applied CRD’s, Jetstack Helm repository and installed cert-manager as proposed in the article.
Then I defined:
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: x.y@gmail.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
http01: {}
and created cluster issuer. Here are the results:
x@y-pc:~/x/y/z$ kubectl create -f production_issuer.yaml
clusterissuer.certmanager.k8s.io/letsencrypt-prod created
x@y-pc:~/x/y/z$ kubectl describe clusterissuers letsencrypt-prod
Name: letsencrypt-prod
Namespace:
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2019-11-06T21:54:43Z
Generation: 1
Resource Version: 2797607
Self Link: /apis/certmanager.k8s.io/v1alpha1/clusterissuers/letsencrypt-prod
UID: d71fc683-a..3-4..f-92d5-ff........20
Spec:
Acme:
Email: x.y@gmail.com
http01:
Private Key Secret Ref:
Name: letsencrypt-prod
Server: https://acme-v02.api.letsencrypt.org/directory
Events: <none>
So far so good.
Then I defined:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: node-test-app
annotations:
kubernetes.io/ingress.class: nginx
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- node-test-app.x.y.z.pl
secretName: letsencrypt-prod
rules:
- host: node-test-app.x.y.z.pl
http:
paths:
- backend:
serviceName: node-test-app
servicePort: 80
and created (updated) my ingress with the results:
x@y-pc:~/x/y/z$ kubectl apply -f ingress.yaml --namespace=playground
ingress.extensions/node-test-app created
The problem
I cannot obtain the certificate:
x@y-pc:~/x/y/z$ kubectl describe certificate letsencrypt-prod
Error from server (NotFound): certificates.certmanager.k8s.io "letsencrypt-prod" not found
x@y-pc:~/x/y/z$ kubectl get ingress --namespace=playground
NAME HOSTS ADDRESS PORTS AGE
node-test-app node-test-app.x.y.z.pl 67.207.x.y 80, 443 2m44s
x@y-pc:~/x/y/z$ kubectl get ingress node-test-app -o yaml --namespace=playground
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"certmanager.k8s.io/cluster-issuer":"letsencrypt-prod","kubernetes.io/ingress.class":"nginx"},"name":"node-test-app","namespace":"playground"},"spec":{"rules":[{"host":"node-test-app.x.y.z.pl","http":{"paths":[{"backend":{"serviceName":"node-test-app","servicePort":80}}]}}],"tls":[{"hosts":["node-test-app.x.y.z.pl"],"secretName":"letsencrypt-prod"}]}}
kubernetes.io/ingress.class: nginx
creationTimestamp: "2019-11-06T22:02:08Z"
generation: 1
name: node-test-app
namespace: playground
resourceVersion: "2798216"
selfLink: /apis/extensions/v1beta1/namespaces/playground/ingresses/node-test-app
uid: 5d33088a-2d10-x-y-z
spec:
rules:
- host: node-test-app.x.y.z.pl
http:
paths:
- backend:
serviceName: node-test-app
servicePort: 80
tls:
- hosts:
- node-test-app.x.y.z.pl
secretName: letsencrypt-prod
status:
loadBalancer:
ingress:
- ip: 67.207.x.y
x@y-pc:~/x/y/z$ kubectl describe ingress node-test-app --namespace=playground
Name: node-test-app
Namespace: playground
Address: 67.207.x.y
Default backend: default-http-backend:80 (<none>)
TLS:
letsencrypt-prod terminates node-test-app.x.y.z.pl
Rules:
Host Path Backends
---- ---- --------
node-test-app.x.y.x.pl
node-test-app:80 (10.244.x.y:3000)
Annotations:
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"certmanager.k8s.io/cluster-issuer":"letsencrypt-prod","kubernetes.io/ingress.class":"nginx"},"name":"node-test-app","namespace":"playground"},"spec":{"rules":[{"host":"node-test-app.x.y.z.pl","http":{"paths":[{"backend":{"serviceName":"node-test-app","servicePort":80}}]}}],"tls":[{"hosts":["node-test-app.x.y.z.pl"],"secretName":"letsencrypt-prod"}]}}
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 5m26s nginx-ingress-controller Ingress playground/node-test-app
Normal UPDATE 4m34s nginx-ingress-controller Ingress playground/node-test-app
x@y-pc:~/x/y/z$ kubectl get certificates --namespace=playground
No resources found in playground namespace.
Can you help me tackle that issue? Where should I start with debugging?
Sign In to Comment