Let's encrypt on GKE with Cert-manager : Invalid certificate

3/27/2019

I am trying to get Let's Encrypt to work with cert-manager on GKE. I have followed the following procedure:

Install the CustomResourceDefinition resources separately

kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml

Create the namespace for cert-manager

kubectl create namespace cert-manager

Label the cert-manager namespace to disable resource validation

kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true

Add the Jetstack Helm repository

helm repo add jetstack https://charts.jetstack.io

Update your local Helm chart repository cache

helm repo update

Install the cert-manager Helm chart

helm install \
 --name cert-manager \
 --namespace cert-manager \
 --version v0.7.0 \
 jetstack/cert-manager

This results in (in the cert-manager namespace)

kubectl -n cert-manager get all

NAME                                           READY     STATUS    
RESTARTS   AGE
pod/cert-manager-6d8fc95f98-57c55              1/1       Running   0          26m
pod/cert-manager-cainjector-7c789f4fcc-jdqfs   1/1       Running   0          26m
pod/cert-manager-webhook-86bc6ff498-kcxj8      1/1       Running   0          26m

NAME                           TYPE        CLUSTER-IP      EXTERNAL-IP   
PORT(S)   AGE
service/cert-manager-webhook   ClusterIP   10.39.251.139   <none>        443/TCP   26m

...

kubectl -n cert-manager get secrets
NAME                                  TYPE                                  DATA      AGE
cert-manager-cainjector-token-mvmsx   kubernetes.io/service-account-token   3         30m
cert-manager-token-gk2sp              kubernetes.io/service-account-token   3         30m
cert-manager-webhook-ca               kubernetes.io/tls                     3         30m
cert-manager-webhook-token-6l6k7      kubernetes.io/service-account-token   3         30m
cert-manager-webhook-webhook-tls      kubernetes.io/tls                     3         30m
default-token-rx6sp                   kubernetes.io/service-account-token   3         30m
letsencrypt-prod                      Opaque                                1         30m

Afterwards I install the webapp (in default) and (also in default) issuer.yml

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: 'me@me.com'
    privateKeySecretRef:
      name: letsencrypt-prod
    https01: {}

and certificate.yml

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: test-tls
spec:
  secretName: test-me
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: test.me
  dnsNames:
    - test.me
    - www.test.me
  acme:
    config:
      - http01:
          ingressClass: nginx
        domains:
          - test.me
          - www.test.me

Here, I seem to be having an issue as I get:

...
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-prod
  Secret Name:  test-me
Status:
  Conditions:
    Last Transition Time:  2019-03-27T16:35:40Z
    Message:               Certificate issuance in progress. Temporary certificate issued.
    Reason:                TemporaryCertificate
    Status:                False
    Type:                  Ready
Events:
  Type     Reason              Age              From          Message
  ----     ------              ----             ----          -------
  Warning  IssuerNotFound      4m (x2 over 4m)  cert-manager  clusterissuer.certmanager.k8s.io "letsencrypt-prod" not found
  Warning  IssuerNotReady      4m               cert-manager  Issuer letsencrypt-prod not ready
  Normal   Generated           4m               cert-manager  Generated new private key
  Normal   GenerateSelfSigned  4m               cert-manager  Generated temporary self signed certificate
  Normal   OrderCreated        4m               cert-manager  Created Order resource "test-me-tls-202592384"

It does move beyond this. No certificate gets verified...

Ingress looks like

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-service
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/add-base-url: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    certmanager.k8s.io/cluster-issuer: "letsencrypt-prod"
spec:
  tls:
    - hosts:
        - test.me
        - www.test.me
      secretName: test-me
  rules:
    - host: test.me
      http:
        paths:
          - path: /
            backend:
              serviceName: web-cluster-ip-service
              servicePort: 80
    - host: www.test.me
      http:
        paths:
          - path: /
            backend:
              serviceName: web-cluster-ip-service
              servicePort: 80

In the end my site remains insecure with a invalid certificate.

Issued to:

Common Name (CN)    test.me
Organization (O)    cert-manager
Organizational Unit (OU)    <Not Part Of Certificate>

Issued by: Common Name (CN) cert-manager.local Organization (O) cert-manager Organizational Unit (OU)

What am I missing that the certificate is not valid.

-- Mike
cert-manager
google-kubernetes-engine
lets-encrypt
nginx-ingress
ssl

1 Answer

3/27/2019

https01 (in issuer.yml) is a typo: this should have been http01

-- Mike
Source: StackOverflow