Has anyone gotten cert-manager working in Rancher 2.0?
I start by deploying it from the Helm catalog. I then add an issuer like so:
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
# The ACME server URL
server: https://acme-v01.api.letsencrypt.org/directory
# Email address used for ACME registration
email: me@example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt
# Enable the HTTP-01 challenge provider
http01: {}
I then add certmanager.k8s.io/cluster-issuer=letsencrypt as an annotation on my ingress. If I hit http://mydomain.example.com, traffic routes to the correct service. https://mydomain.example.com, on the other hand, routes to the default ingress backend backed by the fake k8s certificate (I.e. it’s as if the ingress isn’t being configured for TLS, which is not what these docs suggest should happen.)
Where syncthing/ingress is the namespace/ingress of my project. This seems to indicate that the annotation is being discovered, as I see:
I0509 23:47:17.490804 1 sync.go:41] Not syncing ingress syncthing/ingress as it does not contain necessary annotations
if I remove the annotation. I do see a letsencrypt secret in kube-system, but I think this may be a private key for LE authentication rather than my cert itself. kubectl get certificates --all-namespaces returns nothing. Likewise, I never see any messages indicating that a cert is being provisioned, just the absence of messages indicating that required annotations are missing when I point the ingress at an issuer.
Has anyone gotten this working? I’m wondering if there’s anything non-standard about the Rancher ingress controller that might be tripping up cert-manager. I’m also wondering if there’s a different/better way to integrate LE with Rancher.
Yep tried it and works just fine. I first used external DNS from the catalog to have the domain linked ( you can do that manually), then set up an ingress, then added a cluster issuer, then added a certificate, then updated the ingress to use the certificate.
OK, so that answers one question. I wasn’t sure whether to provision the cert manually or to use ingress-shim. Sounds like you’re going the manual route.
If that’s the case, mind sharing your configs? I’m getting absolutely nothing meaningful in my logs, and I’m pretty sure I’m as close to what you’ve set up as I can get. But clearly something isn’t working, as my certificate resource isn’t deploying. I switched to DNS01 challenges, as I assumed HTTP01 wouldn’t work with the default ingress, but neither works for me.
the ingress shim I think is buggy or something… here’s a sample issuer config
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
# The ACME production api URL
server: https://acme-v01.api.letsencrypt.org/directory
# Email address used for ACME registration
email: tools@whateveremail.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-production
# Enable the HTTP-01 challenge provider
http01: {}
Yup, that worked. I’m not sure why mine didn’t, since I copied the certificate configs directly from the docs, but yours seems to explicitly configure the ACME challenge, whereas the docs indicated that the config would be picked up from the issuer.
In any case, I’ve got HTTPS now, and like that the automatic redirect is automatically configured. That would have been my next question.
Should we move this thread to the Rancher 2.0 forum?
It does not work.
Clusterissuer is ready, but certificate is not working (something with challenge error), I think it cannot pull the certificate.
Any port issues, because rancher loadbalancibg does not work either.
Ok, everything work fine. Thanks a lot for the tutorial.
I have got certificates that are usable, so rancher 2 is now usable for me.
The only issue remakning is:
I have clusterissuers and got the corresponding certificates.
But they do not show up in other namespaces, only the default one.
Thebehaviour is like an normal issuer i think.
The certificates must be placed in a single namespace. There isn’t a way around that. ClusterIssuer should be visible from any namespace. I use ClusterIssuer and can use it on all of my namespaces.
Hi, I am now to rancher and this forum and I try to get SSL to work for my subdomains and pods with letsencrytp. Do I realy need a external DNS? And how do I seth ths up. The tutorial from @dhawton seems to be very well writen, but I am confustend with the cloudflare stuff
You do not need to use an external DNS… you can use HTTP-01 validation. Cloudflare is good, and free, if you need/want external hosting and/or use DNS-01 validation.
I setup Ingress shim with cert manager and it works.
When deploying a new workload, cert manager added one service discovery and one Ingress Load Balancer, both called cm-acme-http-solver-xxyy.
Now I have no idea howto use it with the domain and get the letsencrypt cert. Please visit this post and see if you can help.
TY
@dhawton So are you saying, if your certificate is configured to work on say 3 sub-domains, each is hosted in their own project/namespace, then you need to make a new lets encrypt request for each project?
(This is the only way I have been able to get it to work, BTW)
If this is the case, I’m not sure what a “clusterIssuer” is for? I still need to make a request for each project.