I want to setup a wildcard domain certificate on a kubernetes cluster.
I got a crt/key pair, and an intermediate crt from my CA
I've created a Secret referencing the crt/key pair (I've tried with and without the intermediate crt)
apiVersion: v1
data:
tls.crt: LS0tLS1CRUd...
tls.key: LS0tLS1CRUd...
kind: Secret
metadata:
name: wildcard-key-pair
type: kubernetes.io/tls
Then I've created a Certificate and the related Issuer, using cert-manager and following their documentation from https://docs.cert-manager.io/en/latest/tasks/issuers/setup-ca.html
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: wildcard-issuer
namespace: default
spec:
ca:
secretName: wildcard-key-pair
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: wildcard
namespace: default
spec:
secretName: wildcard-tls-secret
dnsNames:
- '*.example.com'
- example.com
commonName: '*.example.com'
organization:
- example
issuerRef:
name: wildcard-issuer
kind: IssuerBut when I describe my certificate, using kubectl, I get the following error :
Error getting keypair for CA issuer: certificate is not a CAI'm kind of confused about the whole process of getting my wildcard dns working on my kubernetes cluster, so if you have any idea that could point me in the right direction don't hesitate to share your thoughts.
as @johnharris85 mentioned, make sure your certificate has CA flag as true if you are using yours. You can check it via
$ openssl x509 -text -noout -in ca.crt |grep "CA:"Output should be CA:TRUE.
Hope it helps!