Custom Domain on Azure Kubernetes with Ambassador API Gateway

10/20/2018

I am trying to configure an Ambassador Gateway on Kubernetes with Letsencrypt & cert-manager on Azure.

I am receiving the following errors in the cert-manager logs -

Error getting certificate 'ambassador-certs': secret "ambassador- 
certs" not found
certificates controller: Re-queuing item "default/<certificate-name>" due 
to error 
processing: http-01 self check failed for domain "<certificate-name>"

If I then create the secret in Kubernetes called ambassador-certs it starts to log the following -

Re-queuing item "default/<certificate-name>" due to error processing: 
no data for "tls.crt" in secret 'default/ambassador-certs'

My configuration is as follows -

Kubernetes Secret

apiVersion: v1
kind: Secret
metadata:
 name: ambassador-certs
 namespace: default
type: Opaque

Kubernetes Certificate

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: <name>
spec:
  secretName: ambassador-certs
  commonName: <domain-name>
  dnsNames:
  - <domain-name>
  acme:
    config:
    - http01:
      ingressClass: nginx
    domains:
    - <domain-name>
issuerRef:
  name: letsencrypt-prod
  kind: ClusterIssuer

Kubernetes ClusterIssuer

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    http01: {}

I installed Ambassador as directed from their site -

kubectl apply -f 
https://getambassador.io/yaml/ambassador/ambassador-rbac.yaml

WhenI tried this with an Ingress Controller the certificates were created and added to the secrets successfully. What am I missing with Ambassador please?

Finally, according to the Ambassador website this is all I need to do

Certificate Manager

Jetstack's cert-manager lets you easily provision and manage TLS certificates on Kubernetes. No special configuration is required to use >Ambassador with cert-manager.

Once cert-manager is running and you have successfully created the >issuer, you can request a certificate such as the following:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: cloud-foo-com
  namespace: default
spec:
  secretName: ambassador-certs
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: cloud.foo.com
  dnsNames:
  - cloud.foo.com
  acme:
    config:
    - dns01:
        provider: clouddns
      domains:
      - cloud.foo.com

Note the secretName line above. When the certificate has been stored in the secret, restart Ambasador to pick up the new certificate.

Thank you. Slowly dying inside trying to resolve this :-)

EDIT

I deleted everything and reconfigured firstly with Ambassador using http. That worked. I was able to browse to my httpbin.org route over http successfully. I then switched to port 443 on the Ambassador Service yaml and re-applied all as above.

This is still being logged in the cert-manager logs

Re-queuing item "default/<certificate-name>" due to error processing: no data 
for "tls.crt" in secret 'default/ambassador-certs'

kubectl describe secret ambassador-certs

Name:         ambassador-certs
Namespace:    default
Labels:       <none>
Annotations:
Type:         Opaque

Data
====
-- Koman
azure
kubernetes
ssl

1 Answer

5/6/2019

This basically means that the challenge failed .

-- I.Tyger
Source: StackOverflow