0

I want to use cert-manager for issuing my own SSL certificate on AKS.

I already have a signed certificate (https://www.quovadisglobal.de/Zertifikate/SSLCertificates/BusinessSSLCertificates.aspx) which I want to use. In the docs of cert-manager, I find only two relevant Solutions. https://cert-manager.io/docs/configuration/

SelfSigned: This should be used to sign a certificate by a CSR.

CA: This should be used to sign incoming certificate requests.

I tried the second one. Here what I did:

Install and verify cert-manager:

$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager.yaml
$ kubectl get pods --namespace cert-manager

NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-7c5748846c-b4nqb             1/1     Running   0          2d23h
cert-manager-cainjector-7b5965856-bgk4g   1/1     Running   1          2d23h
cert-manager-webhook-5759dd4547-mlgjs     1/1     Running   0          2d23h

Create Secret from private key and cert:

$ sudo kubectl create secret tls ssl-secret-p --cert=mycert.crt --key=mykey.key --namespace=cert-manager

Create issuer:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: ca-issuer
  namespace: cert-manager
spec:
  ca:
    secretName: ssl-secret-p

Error:

$ sudo kubectl get clusterissuers ca-issuer -n cert-manager -o wide

NAME        READY   STATUS                                                         AGE
ca-issuer   False   Error getting keypair for CA issuer: certificate is not a CA   5m

What I'm doing wrong?

EDIT:

sudo kubectl -n namespace get ing
NAME            HOSTS           ADDRESS          PORTS     AGE
nginx-ingress   ***.com         51.105.205.128   80, 443   13m
Nico Schuck
  • 832
  • 3
  • 15
  • 32

1 Answers1

1

Cert manager will carry out the acme challenge verification, try passing this secret name to the tls in the ingress rule, once the acme challenge appears valid, you will see a corresponding entry in ingress 

kubectl -n namespace get ing

will give you that.

Then the certificate shall acquire ready state

I tried it, but I haven't used any pre-created tls secret. You can refer this stackoverflow post, I guess it turns up somewhat helpful to you

Tushar Mahajan
  • 2,044
  • 1
  • 7
  • 18
  • Ok if I get you right I need only to pass the secret to my ingress. The cert-manager is not necessary if I already have a signed certificate? – Nico Schuck Dec 02 '19 at 12:55
  • Sorry. I didn't get that. The acme-challenge is not necessary anymore because QuoVadis did that right? I added the secret to my ingress and added the information to my post. Is everything right from my side or do I anything missed? – Nico Schuck Dec 02 '19 at 13:16
  • in general, https is working now. But I get every time error 404. Not sure if it related to this issue. – Nico Schuck Dec 02 '19 at 14:57