I am trying to get Let's Encrypt to work with cert-manager on GKE. I have followed the following procedure:
kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml
kubectl create namespace cert-manager
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
--name cert-manager \
--namespace cert-manager \
--version v0.7.0 \
jetstack/cert-manager
This results in (in the cert-manager namespace)
kubectl -n cert-manager get all
NAME READY STATUS
RESTARTS AGE
pod/cert-manager-6d8fc95f98-57c55 1/1 Running 0 26m
pod/cert-manager-cainjector-7c789f4fcc-jdqfs 1/1 Running 0 26m
pod/cert-manager-webhook-86bc6ff498-kcxj8 1/1 Running 0 26m
NAME TYPE CLUSTER-IP EXTERNAL-IP
PORT(S) AGE
service/cert-manager-webhook ClusterIP 10.39.251.139 <none> 443/TCP 26m
...
kubectl -n cert-manager get secrets
NAME TYPE DATA AGE
cert-manager-cainjector-token-mvmsx kubernetes.io/service-account-token 3 30m
cert-manager-token-gk2sp kubernetes.io/service-account-token 3 30m
cert-manager-webhook-ca kubernetes.io/tls 3 30m
cert-manager-webhook-token-6l6k7 kubernetes.io/service-account-token 3 30m
cert-manager-webhook-webhook-tls kubernetes.io/tls 3 30m
default-token-rx6sp kubernetes.io/service-account-token 3 30m
letsencrypt-prod Opaque 1 30m
Afterwards I install the webapp (in default) and (also in default) issuer.yml
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: 'me@me.com'
privateKeySecretRef:
name: letsencrypt-prod
https01: {}
and certificate.yml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: test-tls
spec:
secretName: test-me
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: test.me
dnsNames:
- test.me
- www.test.me
acme:
config:
- http01:
ingressClass: nginx
domains:
- test.me
- www.test.me
Here, I seem to be having an issue as I get:
...
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod
Secret Name: test-me
Status:
Conditions:
Last Transition Time: 2019-03-27T16:35:40Z
Message: Certificate issuance in progress. Temporary certificate issued.
Reason: TemporaryCertificate
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning IssuerNotFound 4m (x2 over 4m) cert-manager clusterissuer.certmanager.k8s.io "letsencrypt-prod" not found
Warning IssuerNotReady 4m cert-manager Issuer letsencrypt-prod not ready
Normal Generated 4m cert-manager Generated new private key
Normal GenerateSelfSigned 4m cert-manager Generated temporary self signed certificate
Normal OrderCreated 4m cert-manager Created Order resource "test-me-tls-202592384"
It does move beyond this. No certificate gets verified...
Ingress looks like
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-service
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/add-base-url: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
certmanager.k8s.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- test.me
- www.test.me
secretName: test-me
rules:
- host: test.me
http:
paths:
- path: /
backend:
serviceName: web-cluster-ip-service
servicePort: 80
- host: www.test.me
http:
paths:
- path: /
backend:
serviceName: web-cluster-ip-service
servicePort: 80
In the end my site remains insecure with a invalid certificate.
Issued to:
Common Name (CN) test.me
Organization (O) cert-manager
Organizational Unit (OU) <Not Part Of Certificate>
Issued by: Common Name (CN) cert-manager.local Organization (O) cert-manager Organizational Unit (OU)
What am I missing that the certificate is not valid.
https01 (in issuer.yml) is a typo: this should have been http01