0

Hello I m struggling to get the Cert-Manager work with let'sencrypt on my Azure AKS to secure and asp.net core web app.

I have a ClusterIssuer like that:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencryptstaging-issuer
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: letsencryptstaging@prodibi.com
    privateKeySecretRef:
      name: letsencryptstaging-secret
    solvers:
    - http01:
        ingress:
          class: nginx

and I request a certificate like that:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: aks-prodibiv2-com-staging
spec:
  secretName: aks-prodibiv2-com-staging-secret
  duration: 2160h
  renewBefore: 480h
  organization:
  - prodibiv2
  dnsNames:
  - aks.prodibiv2.com
  issuerRef:
    name: letsencryptstaging-issuer
    kind: ClusterIssuer

I also have added the annotations to the ingress controller I would like to use

certmanager.k8s.io/acme-challenge-type: http01
certmanager.k8s.io/cluster-issuer: letsencryptstaging-issuer

In the following screenshot we can see that the certificate request is "Waiting to complete" We can see also that we have two ingress controller and the one for the challenge seems to not have an IP, and the domain is pointing to the ingress-prodibiweb

if I try to put the domain in front of the .well-known path I get a 404 not found error.

So my guess is that the cert-manager is not configured properly to use the ingress-prodibiweb (that point to asp.net core webapp) or something like that. Any idea on what can I try to get it working?

Screenshot of the certificate state and the ingresses descriptions

fred_
  • 1,486
  • 1
  • 19
  • 31
  • It looks like both definitions of your Ingress resources are invalid. Please verify its configuration at 'backend' level, should point to the right/existing serviceName/servicePort pair, additionally double check if Service is configured properly, from 'describe ing' output it seems it's not (no endpoints found). – Nepomucen May 21 '20 at 22:29
  • Something tells me, that few of your app Pods are not running as intended, can you look around for non-running Pods with ''kubectl get po --all-namespaces. "No endpoints found" error is caused by this probably. – Nepomucen May 21 '20 at 22:35

1 Answers1

1
  1. Your ingress ip is private. No way for Let's encrypt to access.
  2. You need to make sure you are using Nginx Ingress which you are using
    - http01:
        ingress:
          class: nginx
  1. Make sure your domain is point to right IP. (Ingress IP and also a Load Balancer IP) Now is 20.50.42.93 https://mxtoolbox.com/SuperTool.aspx?action=a%3aaks.prodibiv2.com&run=toolpage

And dns01 also a solution to request SSL. You can give it a try if you have enough permissions.

RammusXu
  • 1,180
  • 1
  • 7
  • 21
  • hello do you know how I can check that the ingress is nginx? – fred_ May 22 '20 at 10:01
  • check here: https://stackoverflow.com/a/53299983/10347794 There is no default Ingress Controller in AKS, so it needed to be installed manually, official MS guides use nginx-ingress controller: https://learn.microsoft.com/pl-pl/azure/aks/ingress-basic – Nepomucen May 22 '20 at 10:47
  • 1
    thank you rammusxu the ingress wasn't a nginx I think, I have installed and configure like @nepomucen said and now it works – fred_ May 22 '20 at 20:23