DEV Community

Cover image for How to setup nginx Ingress w/ automatically generated LetsEncrypt certificates on Kubernetes

How to setup nginx Ingress w/ automatically generated LetsEncrypt certificates on Kubernetes

Chris on December 07, 2019

Background: After first searching around there are plenty of tutorials to show how to do this, but none of them just worked w/o modifications, the...
Collapse
 
3ddpaz profile image
Ed

This post it's worth 1.000.000 Hearts. I solved the issue and actually understood it. there are many flavors to get cert-manager on track with kubernetes, on EKS from AWS. Btw never install cert-manager from gitlab. You will end up deleting a entire cluster just to get rid off it. Ingress works like champ on gitlab's. nothing else.. once again thanks bro..

Collapse
 
3ddpaz profile image
Ed

I solved my production problem, thanks :D. but what about let's say. staging-api.mysite.com on my staging namespace it creates the certificate but when on the browser it shows. CN=Fake LE Intermediate X1 and is not trusted and firefox is not opening it. any idea? I've production and staging namespaces with their own ingress copy/paste with different names. (staging this case)

Collapse
 
chrisme profile image
Chris

Maybe you just have misinterpreted what staging is reffered to in different contexts:

In context of letsencrypt staging certs:

As far as I know he LetsEncrypt Staging Authority issues exactly those kind of certificates that you mentioned. They are not trusted by browsers, but only used for initially testing if issuing certificates works in general. After that works you need to switch to letsencrypt production authority.

In context of your staging API:

It does not mean that for your staging environment you use the letsencrypt staging authority. Instead you also have to switch this to the production authority.

Collapse
 
dineshrathee12 profile image
Dinesh Rathee

LetsEncrypt have revoked around 3 million certs last night due to a bug that they found. Are you impacted by this, Check out ?

DevTo
[+] dev.to/dineshrathee12/letsencrypt-...

GitHub
[+] github.com/dineshrathee12/Let-s-En...

LetsEncryptCommunity
[+] community.letsencrypt.org/t/letsen...

Collapse
 
dragoscirjan profile image
Dragos Cirjan

I'm trying to apply the above setup in a Vagrant set of machines running Ubuntu 18.04.

Unfortunately, when trying to
kubectl apply -f Service_ingress-nginx.yaml
everything runs well, but then
vagrant@k8smaster:/vagrant/proxy$ kubectl get --all-namespaces service
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
...
ingress-nginx ingress-nginx LoadBalancer 10.102.210.119 80:32550/TCP,443:32197/TCP 22m
...

I tried to add in Service_ingress-nginx.yaml:
externalIPs:

  • 192.168.1.231 where the ip above is the machine's external IP

kubectl get --all-namespaces service will show an external IP, but I cannot view any of the domains in browser...

Installing Docker & Kubernetes with this Makefile: github.com/dragoscirjan/configs/bl...

Maybe I'm missing smth.
Would be really greatfull if you could advise.

Collapse
 
adieolami profile image
Adie Olalekan

This is awesome Chris. One question please, is this certificate self renewing?

Collapse
 
chrisme profile image
Chris

Hi Adie, yes cert-manager takes care of that job.

At least that's what the cert-manager repo claims: 'It will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry.'

Though I'll still have to wait some time before being able to really confirm it :-)

Collapse
 
adieolami profile image
Adie Olalekan

Okay, Thank you

Collapse
 
mikkowsx profile image
Mikko Hirvonen

Thanks a lot! I went through quite many instructions about let's encrypt with kubernetes but this was the first one with successful result. You saved a lots of my time. Thanks!

Collapse
 
chrisme profile image
Chris

nice love to hear that

Collapse
 
sinanmujan profile image
Sinan Mujan

Thank you so much, this helped me solve my problem with issuing the certificate, your Service_ingress-nginx.yaml file was the key. Awesome article!

Collapse
 
chrisme profile image
Chris

Tank you, I'm glad it helped!