3

So, I have a Kubernetes cluster running on aws-eks, it's only a test cluster to learn and build a production cluster at the moment. I've already managed to make everything I need to work except for the SSL certificate! :(

I'm using cert-manager to add a SSL certificate on my domain "brunolira.dev", which I bought on google domains and used AWS' Route53 to redirect to my kubernetes load balancer but did not have any success yet.

By using the staging cert-manager (https://acme-staging-v02.api.letsencrypt.org/directory) i get the following certificate on firefox: enter image description here

When I use the prod cert-manager url (https://acme-prod-v02.api.letsencrypt.org/directory) it changes to this: enter image description here I don't understand why is it saying "Kubernetes Ingress Controller Fake Certificate" nor why the DNS changes to "ingress.local"

This is my ClusterIssuer:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: MYEMAIL(WHICH I DID NOT REGISTER ANYWHERE, IS THERE SUCH A THING?)
    privateKeySecretRef:
      name: cluster-issuer-account-key
    server: https://acme-prod-v02.api.letsencrypt.org/directory
    solvers:
    - selector:
        dnsZones:
          - "brunolira.dev"
      dns01:
        route53:
          region: us-east-2
          hostedZoneID: HOSTEDZONE ID ON ROUTE 53
          role: arn:aws:iam::IAMUSERID:role/dns-manager

This is my ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
  tls:
  - hosts:
    - brunolira.dev
    secretName: echo-tls
  rules:
  - host: brunolira.dev
    http:
      paths:
      - path: /common
        backend:
          serviceName: common-service
          servicePort: 80
      - path: /offline
        backend:
          serviceName: offline-service
          servicePort: 80

Any help, guidance, suggestion or tip on how could I solve this will be very much appreciated!

In case you want to take a look at the prod generated certificate you can access the page brunolira.dev and verify whatever you need! I can also provide any information about my configuration that would be useful on find a solution to to this problem!

Bruno Lira
  • 177
  • 3
  • 13

2 Answers2

3

SOLVED! Long story short, I was using the wrong letsencrypt production URL :)

Even though on the provided clusterIssuer I was using "dns01" solver I was trying with "http01" too.

This was my final ClusterIssuer:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
 name: letsencrypt-prod
 namespace: cert-manager
spec:
 acme:
   server: https://acme-v02.api.letsencrypt.org/directory
   email: MYEMAIL
   privateKeySecretRef:
     name: letsencrypt-prod
   solvers:
   - http01:
       ingress:
         class:  nginx

And this was my final Ingress:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/acme-challenge-type: "http01"
    cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
  tls:
  - hosts:
    - brunolira.dev
    secretName: echo-tls
  rules:
  - host: brunolira.dev
    http:
      paths:
      - path: /serviceA
        backend:
          serviceName: serviceA
          servicePort: 80
      - path: /ServiceB
        backend:
          serviceName: serviceB
          servicePort: 80

This link helped me see what I was doing wrong! Pretty good tutorial :)

Bruno Lira
  • 177
  • 3
  • 13
2

I think this link shall help you in this context.

The TLS-secret will be auto-created, you just need to mention in the ingress rule.

Tushar Mahajan
  • 2,044
  • 1
  • 7
  • 18
  • Hi Tushar! Thank you for the link! I tried to follow these instructions but no luck. Good news is that I have solved the issue by following the tutorial linked in my answer. – Bruno Lira Jul 05 '20 at 16:20