3

I followed https://docs.cert-manager.io/en/venafi/tutorials/quick-start/index.html from start to end and everything seems to be working except that I'm not getting an external ip for my ingress.

NAME                     HOSTS                                  ADDRESS   PORTS     AGE
staging-site-ingress   staging.site.io,staging.admin.site.io,             80, 443   1h

Altough I'm able to use the nginx ingress controller external ip and use dns to access the sites. When I'm going to the urls I'm being redirected to https, so I assume that's working fine.

It redirects to https but still says "not secured", so he don't get a certificate issued.

When I'm debugging I get the following information:

Ingress:

Events:
  Type    Reason             Age                From                      Message
  ----    ------             ----               ----                      -------
  Normal  CreateCertificate  54m                cert-manager              Successfully created Certificate "tls-secret-staging"
  Normal  UPDATE             35m (x3 over 1h)   nginx-ingress-controller  Ingress staging/staging-site-ingress
  Normal  CreateCertificate  23m (x2 over 35m)  cert-manager              Successfully created Certificate "letsencrypt-staging-tls"

Certificate:

Status:
  Conditions:
    Last Transition Time:  2019-02-27T14:02:29Z
    Message:               Certificate does not exist
    Reason:                NotFound
    Status:                False
    Type:                  Ready
Events:
  Type    Reason        Age               From          Message
  ----    ------        ----              ----          -------
  Normal  OrderCreated  3m (x2 over 14m)  cert-manager  Created Order resource "letsencrypt-staging-tls-593754378"

Secret:

Name:         letsencrypt-staging-tls
Namespace:    staging
Labels:       certmanager.k8s.io/certificate-name=staging-site-io
Annotations:  <none>

Type:  kubernetes.io/tls

Data
====
ca.crt:   0 bytes
tls.crt:  0 bytes
tls.key:  1679 bytes

Order:

Status:
  Certificate:   <nil>
  Finalize URL:  
  Reason:        
  State:         
  URL:           
Events:          <none>

So it seems something goes wrong in order and no challenges are created.

Here are my ingress.yaml and issuer.yaml:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: staging-site-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"    
    certmanager.k8s.io/issuer: "letsencrypt-staging"
    certmanager.k8s.io/acme-challenge-type: http01
spec:
  tls:
  - hosts:
    - staging.site.io
    - staging.admin.site.io
    - staging.api.site.io
    secretName: letsencrypt-staging-tls
  rules:
    - host: staging.site.io
      http:
        paths:
          - backend:
              serviceName: frontend-service
              servicePort: 80
            path: /
    - host: staging.admin.site.io
      http:
        paths:
          - backend:
              serviceName: frontend-service
              servicePort: 80
            path: /
    - host: staging.api.site.io
      http:
        paths:
          - backend:
              serviceName: gateway-service
              servicePort: 9000
            path: /

apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: letsencrypt-staging
  namespace: staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: hello@site.io
    privateKeySecretRef:
      name: letsencrypt-staging-tls
    http01: {}

Anyone knows what I can do to fix this or what went wrong? Certmanager is installed correctly 100%, I'm just not sure about the ingress and what went wrong in the order.

Thanks in advance!

EDIT: I found this in the nginx-ingress-controller:

W0227 14:51:02.740081       8 controller.go:1078] Error getting SSL certificate "staging/letsencrypt-staging-tls": local SSL certificate staging/letsencrypt-staging-tls was not found. Using default certificate

It's getting spammed & the CPU load is always at 0.003 and the cpu graph is full (the other services are almost nothing)

JC97
  • 1,530
  • 2
  • 23
  • 44
  • When using Nginx as an Ingress controller you access to all your Ingress routes trough Nginx service external IP. So "not getting an external ip for my ingress" is regular. What you're missing is creating a DNS entry on `*.site.io` to redirect to Nginx external IP. Of course you need to own the "site.io". – Seboudry Feb 27 '19 at 15:02
  • That's not really the problem, because the nginx-ingress-controller has an external ip and when I create dns entries with that ip, I can access the urls perfectly even with https, but on https I get the message that the connection is not secure. Site is just a placeholder, because I don't want to post the real url here :) – JC97 Feb 27 '19 at 15:08
  • OK ;) Just seeing you can't use `letsencrypt-staging-tls` as the TLS secret on your ingress rules. It's the one used by the Let's Encrypt issuer. You can also see the logs of "challenge" pods or cert manager to grab some clues. – Seboudry Feb 27 '19 at 15:41
  • Just seeing you can't use letsencrypt-staging-tls as the TLS secret on your ingress rules. Can you explain what you mean by this? And the challenge pods aren't there for some reason – JC97 Feb 27 '19 at 16:16
  • If you keep attention on quickstart files you'll notice a difference against yours. Especially the Ingress one. – Seboudry Mar 01 '19 at 15:59
  • I think there are many ways this can happen---I had this problem and it was that a secret was in the wrong namespace when I upgraded from 0.5 to 0.6. I found it in the cert-manager logs: `kubectl logs certmanager-12345 -n cert-manager`. – mikebridge Mar 07 '19 at 22:26

2 Answers2

4

I stumbled over the same issue once, following exactly the same official tutorial. As @mikebridge mentioned, the issue is with Issuer/Secret's namespace mismatch.

For me, the best was to switch from Issuer to ClusterIssuer, which is not scoped to a single namespace.

Black_Bacardi
  • 324
  • 4
  • 10
Nepomucen
  • 4,449
  • 3
  • 9
  • 24
  • Yes for me the clusterissuer was also a solution, but I had to create a certificate manual as well. Once I 'forced' cert-manager to create a certificate, he was good to go en auto created certificates as well. – JC97 Mar 11 '19 at 14:17
0

The reason your certificate order is not completing is because the challenge is failing to successfully complete. Review your solver configuration in either your Issuer or ClusterIssuer.

See my answer here for more details. https://stackoverflow.com/a/75454772/4820940

J.D.
  • 51
  • 4