Cert-Manager Certificate Renewal process - How it is performed?


I am using cert-manager-v0.10.0 installed from its helm chart

I am using kong like ingress controller to manage the ingress operations.

So I have created a ClusterIssuer resource in order it could be contacted from an Ingress resource via kong-ingress controller.

The ClusterIssuer is this:

   apiVersion: certmanager.k8s.io/v1alpha1
   kind: ClusterIssuer
     name: letsencrypt-prod
       # The ACME server URL
       server: https://acme-v02.api.letsencrypt.org/directory
       # Email address used for ACME registration
       email: username@mydomain.org
       # Name of a secret used to store the ACME account private key
         name: letsencrypt-prod
       # Enable the HTTP-01 challenge provider
       - http01:
             class: kong

The ingress resource that I am using is this.

You can see here, that I am pointing it to the ClusterIssuer created previously and also I am pointing it to kong as an ingress controller, according to the kubernetes.io/ingress.class: "kong" annotation included there:

apiVersion: extensions/v1beta1
kind: Ingress
    # add an annotation indicating the issuer to use.
    certmanager.k8s.io/cluster-issuer: letsencrypt-prod # letsencrypt-staging
    kubernetes.io/ingress.class: "kong"
    plugins.konghq.com: swaggerapi-customer-production-basic-auth, swaggerapi-customer-production-acl
  name: production-customer-ingress-app
  # namespace: default
  - host: appprod.mydomain.org
      - backend:
          serviceName: customer-production-app
          servicePort: 80
        path: /comcustomerpr
  tls: # < placing a host in the TLS config will indicate a cert should be created
  - hosts:
    - appprod.mydomain.org
    secretName: letsencrypt-prod # < cert-manager will store the created certificate in this secret.

So, when I create the Ingress resource above, the secretName referenced above in my ingress is created and also a certificate resource with the same name ... that is letsencrypt-prod.

It will be the certificate resource which receive the LetsEncrypt validation successful process ...

I got TLS encryption and everything is OK here.

But now, I want to know how will be the renewal process. Because I am pretty sure at the moment this renewal certificate process it does not to happen automatically ...

I was reading something here https://docs.cert-manager.io/en/latest/reference/certificates.html?highlight=renewal#certificate-duration-and-renewal-window and this documentation says that is necessary attach to the certificate resource created (kind:Certificate) the spec.duration and spec.renewBefore attributes of this way

  secretName: example-tls
  duration: 24h
  renewBefore: 12h

If my certificate issued by LetsEncrypt has a 90 days as a default duration, how can I specify these spec.duration and spec.renewBefore attributes?

I want to get into in this concern, because my main question is I am not creating the certificate, it is created when the Ingress resource (above referenced) is executed.

How can I address the renewal process here with this approach that I am doing?


Do I need to create a specific kind:Certificate resource, referencing the secret that I got from LetsEncrypt?

I mean, something like this?

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
  name: letsencrypt-prod
  secretName: letsencrypt-prod
  - mydomain.com
    - http01:
        ingressClass: kong
      - mydomain.com
    name: letsencrypt-prod
    kind: ClusterIssuer

I have the doubt here, because currently I am not getting the certificate renewal action

-- bgarcial

1 Answer


since you have used the letsencrypt-prod issuer, and haven't done anything special/non-standard, the certificate renewal process will be completely automatic for you.

By default the letsencrypt certificates are valid fro 90-days, and renewed automatically every 30-days. If you don't have some strict requirements to use purchased certificates, or use some other specific Certificate Authority, this is a great option to use.

If you still have doubts then you can do the following to see for yourself. First decode the current certificates secret data and inspect the certificate contents with the openssl command. You'll be able to see the certificate expiry date, and make a note of that. Now if you subtract 59-days from that expiry date that should give you roughly the date that cert-manager will attempt to renew the certificate on. I add an extra day just to be safe we aren't too early. Then on that date repeat this process again; decoding the certificate secret, inspecting the certificate with the openssl command, and checking the certificate expiry date. You'll notice the expiry date for the certificate is different than before, hence it's was automatically renewed as we expected.

Hope this helps.

-- cewood
Source: StackOverflow