Kubernetes Certificate not creating for cert-manager

11/9/2019

I am unable to create a certificate using cert-manager.

I am following this guide https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html

This works:

antonswanevelder$ kubectl get pods --namespace cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-69b4f77ffc-4296b              1/1     Running   0          9m5s
cert-manager-cainjector-576978ffc8-2mxz6   1/1     Running   0          2d13h
cert-manager-webhook-c67fbc858-sdjff       1/1     Running   1          2d13h

But running the test

kubectl describe certificate -n cert-manager-test

Produces nothing.

Any ideas how I can troubleshoot this?

-- Anton Swanevelder
cert-manager
kubernetes-ingress

1 Answer

11/11/2019

Re-creating the K8s cluster and following the steps in the cert-manager page above worked. One major mistake I have made was referencing the wrong namespace in my Ingress.

Please note to make use of cert-manager.io/cluster-issuer

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    # add an annotation indicating the issuer to use.
    cert-manager.io/cluster-issuer: letsencrypt-prod

Also note the slight variation in apiVersion and solvers when using v11 of cert-manager.

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: youremail@domain.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource used to store the account's private key.
      name: letsencrypt-prod
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: nginx

Lastly it might be worth noting that Lets-encrypt needs to point to a valid page in order to serve the certificate. Make sure your domain is pointed correctly and that a page is served at root of that domain. There is a rate-limiter on the prod, so best you work with the staging issuer until a certificate is served. If you run the below code it should show CertificateCreated.

kubectl describe ingress
-- Anton Swanevelder
Source: StackOverflow