Hello, I’ve created brand new cluster to deploy some node.js services. I followed up on the following tutorial: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-on-digitalocean-kubernetes-using-helm
Unfortunately I have some issues with “Step 4 — Securing the Ingress Using Cert-Manager”.
What I did
I’ve manually applied CRD’s, Jetstack Helm repository and installed cert-manager as proposed in the article.
Then I defined:
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: x.y@gmail.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
http01: {}
and created cluster issuer. Here are the results:
x@y-pc:~/x/y/z$ kubectl create -f production_issuer.yaml
clusterissuer.certmanager.k8s.io/letsencrypt-prod created
x@y-pc:~/x/y/z$ kubectl describe clusterissuers letsencrypt-prod
Name: letsencrypt-prod
Namespace:
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2019-11-06T21:54:43Z
Generation: 1
Resource Version: 2797607
Self Link: /apis/certmanager.k8s.io/v1alpha1/clusterissuers/letsencrypt-prod
UID: d71fc683-a..3-4..f-92d5-ff........20
Spec:
Acme:
Email: x.y@gmail.com
http01:
Private Key Secret Ref:
Name: letsencrypt-prod
Server: https://acme-v02.api.letsencrypt.org/directory
Events: <none>
So far so good. Then I defined:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: node-test-app
annotations:
kubernetes.io/ingress.class: nginx
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- node-test-app.x.y.z.pl
secretName: letsencrypt-prod
rules:
- host: node-test-app.x.y.z.pl
http:
paths:
- backend:
serviceName: node-test-app
servicePort: 80
and created (updated) my ingress with the results:
x@y-pc:~/x/y/z$ kubectl apply -f ingress.yaml --namespace=playground
ingress.extensions/node-test-app created
The problem
I cannot obtain the certificate:
x@y-pc:~/x/y/z$ kubectl describe certificate letsencrypt-prod
Error from server (NotFound): certificates.certmanager.k8s.io "letsencrypt-prod" not found
x@y-pc:~/x/y/z$ kubectl get ingress --namespace=playground
NAME HOSTS ADDRESS PORTS AGE
node-test-app node-test-app.x.y.z.pl 67.207.x.y 80, 443 2m44s
x@y-pc:~/x/y/z$ kubectl get ingress node-test-app -o yaml --namespace=playground
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"certmanager.k8s.io/cluster-issuer":"letsencrypt-prod","kubernetes.io/ingress.class":"nginx"},"name":"node-test-app","namespace":"playground"},"spec":{"rules":[{"host":"node-test-app.x.y.z.pl","http":{"paths":[{"backend":{"serviceName":"node-test-app","servicePort":80}}]}}],"tls":[{"hosts":["node-test-app.x.y.z.pl"],"secretName":"letsencrypt-prod"}]}}
kubernetes.io/ingress.class: nginx
creationTimestamp: "2019-11-06T22:02:08Z"
generation: 1
name: node-test-app
namespace: playground
resourceVersion: "2798216"
selfLink: /apis/extensions/v1beta1/namespaces/playground/ingresses/node-test-app
uid: 5d33088a-2d10-x-y-z
spec:
rules:
- host: node-test-app.x.y.z.pl
http:
paths:
- backend:
serviceName: node-test-app
servicePort: 80
tls:
- hosts:
- node-test-app.x.y.z.pl
secretName: letsencrypt-prod
status:
loadBalancer:
ingress:
- ip: 67.207.x.y
x@y-pc:~/x/y/z$ kubectl describe ingress node-test-app --namespace=playground
Name: node-test-app
Namespace: playground
Address: 67.207.x.y
Default backend: default-http-backend:80 (<none>)
TLS:
letsencrypt-prod terminates node-test-app.x.y.z.pl
Rules:
Host Path Backends
---- ---- --------
node-test-app.x.y.x.pl
node-test-app:80 (10.244.x.y:3000)
Annotations:
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"certmanager.k8s.io/cluster-issuer":"letsencrypt-prod","kubernetes.io/ingress.class":"nginx"},"name":"node-test-app","namespace":"playground"},"spec":{"rules":[{"host":"node-test-app.x.y.z.pl","http":{"paths":[{"backend":{"serviceName":"node-test-app","servicePort":80}}]}}],"tls":[{"hosts":["node-test-app.x.y.z.pl"],"secretName":"letsencrypt-prod"}]}}
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 5m26s nginx-ingress-controller Ingress playground/node-test-app
Normal UPDATE 4m34s nginx-ingress-controller Ingress playground/node-test-app
x@y-pc:~/x/y/z$ kubectl get certificates --namespace=playground
No resources found in playground namespace.
Can you help me tackle that issue? Where should I start with debugging?
Subscribe
Share
Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Sign in to AnswerThese answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Basically I was using outdated version of cert-manager. Article mentioned above should be updated and that link should be changed:
At the moment of writing that comment release 1.1 was available.
On the other hand I still have another problems with my certificate. After I run
I got the following results:
Everything seems to be fine, but my page still does not have certificate and I still see the warning about missing certificate in the web browser.
Any help would be still appreciated!
PS. If anyone of you have any problems with cert-manager I strongly recommend to check logs of cert-manager.
kubectl get pods -n cert-managerand then using results of that command: ```kubectl logs cert-manager-XXX -n cert-manager``