0

When I try configuring TLS Let's Encrypt certificates for my cluster application with a NGINX Ingress controller and cert-manager, something goes wrong with the ClusterIssuer.

My ClusterIssuer is defined as followed:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: user@example.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx

When I check out the clusterissuer via kubectl, it says that the ClusterIssuer is READY.

$ kubectl get clusterissuer --namespace mynamespace

Response:

NAME               READY   AGE
letsencrypt-prod   True    13s

But when I describe the ClusterIssuer I get an error.

$ kubectl describe clusterissuer letsencrypt-prod --namespace mynamespace

Response:

Error from server: conversion webhook for cert-manager.io/v1alpha2, Kind=ClusterIssuer failed: Post https://cert-manager-webhook.cert-manager.svc:443/convert?timeout=30s: service "cert-manager-webhook" not found

I installed cert-manager with Helm 3 with manually adding the CRDs.

How to solve this?

marcuse
  • 3,389
  • 3
  • 29
  • 50

2 Answers2

2

The cert-manager chart does not accept different namespacing when the CRDs are applied manually to your cluster. Instead of applying them manually first, install the CRDs as part of the Helm 3 release.

$ helm repo add jetstack https://charts.jetstack.io

$ helm repo update

$ helm install \
  cert-manager jetstack/cert-manager \
  --namespace mynamespace \
  --version v0.15.1 \
  --set installCRDs=true
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
marcuse
  • 3,389
  • 3
  • 29
  • 50
1

I solved this issue by adding namespace: cert-manager under metadata

It would look something like this:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    email: user@example.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
   solvers:
   - http01:
       ingress:
         class: nginx
Modx
  • 223
  • 2
  • 9