0

I setup up a prototype cluster in Azure Kubernetes Service to test the ability to configure HTTPS ingress with cert-manager. I was able to make everything work, now I'm ready to setup my production environment.

The problem is I used the sub domain name I needed (sub.domain.com) on the prototype and now I can't seem to make Let's Encrypt give a certificate to the production cluster.

I'm still very new to Kubernetes and I can't seem to find a way to export or move the certificate from one to the other.

Update:

It appears that the solution provided below would have worked, but it came down to needing to suspend/turnoff the prototype's virtual machine. Within a couple minutes the production environment picked up the certificate.

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
Ian
  • 48
  • 1
  • 8
  • You shouldn't need to move the certificate, if you have updated the dns entries correctly to point at the new cluster you should be able to get a new certificate. More information about your configuration would be useful. – Marcus Jan 16 '19 at 17:12
  • @Marcus I tried that, I gave it over an hour and I continually received certificate issues from the browser. If I look at my running pods, I have a pod called `cm-acme-http-solver` that has been running since I started the cluster. I'm guessing this is cert-manager trying to get a certificate, but it never seems to go through. – Ian Jan 16 '19 at 17:17

1 Answers1

1

you can just do something like:

kubectl get secret -o yaml

and just copy\paste your certificate secret to a new cluster, or use something like heptio ark to do backup\restore.

ps. I dont know why it wouldn't let you create a new cert, at worst you would need to wait 7 days for your rate limit to refresh.

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • I've wondered if it's because both are currently online, but I don't know how the Let's Encrypt servicer works underneath it all. I'll try copying the secret and see where that gets me. – Ian Jan 16 '19 at 17:19
  • I tried that and gave it about an hour or so to sort itself out. Unfortunately, it's a micro-service our developers are working with quite a bit so I can't take it down for a long time. I'll try making the change overnight and see if I can resolve it that way. I'm just a little nervous now about copying the secret since there are a lot of work arounds I had to come up with on my way to get the prototype cluster working in the first place. – Ian Jan 16 '19 at 17:29