Cert manager - Certificate issued but not added to certificates


#1

Hi all,

I am deploying a website with Rancher 2. The pods are spawning, accessible on the web. Ok.

I try to add a HTTPS support with Let’s Encrypt. I installed cert-managed from Helm. I created a ClusterIssuer, a Certificate. The Certificate describe :

Name:         acme-crt
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  xxxxx/v1alpha1
Kind:         Certificate
Metadata:
  Cluster Name:
  Creation Timestamp:  2018-07-05T12:08:21Z
  Generation:          1
  Resource Version:    779229
  Self Link:           xxxxx
  UID:                 xxxxxxxx
Spec:
  Acme:
    Config:
      Domains:
        www.xxxx
        sub1.xxxx
      Http 01:
        Ingress:
        Ingress Class:  nginx
  Common Name:
  Dns Names:
    www.xxx
    sub1.xxx
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-issuer
  Secret Name:  acme-crt-tls
Status:
  Acme:
    Order:
      URL:  xxxxxx
  Conditions:
    Last Transition Time:  2018-07-05T12:08:24Z
    Message:               Order validated
    Reason:                OrderValidated
    Status:                False
    Type:                  ValidateFailed
    Last Transition Time:  <nil>
    Message:               Certificate issued successfully
    Reason:                CertIssued
    Status:                True
    Type:                  Ready
Events:
  Type    Reason        Age   From          Message
  ----    ------        ----  ----          -------
  Normal  CreateOrder   27m   cert-manager  Created new ACME order, attempting validation...
  Normal  IssueCert     27m   cert-manager  Issuing certificate...
  Normal  CertObtained  27m   cert-manager  Obtained certificate from ACME server
  Normal  CertIssued    27m   cert-manager  Certificate issued successfully

It seems to be ok ?

But when I go back to Rancher UI, on the Resources > Certificates page, it’s empty.

Any ideas ?


#2

Have a look at this thread. There’s a video tutorial showing how to setup it.


#3

Yes, already saw it. In fact, I managed to create the issuer and the “certificate” thanks to this video (and the blog post associated to it).

I manage to go till the certificate issuance. The certificate says “Certificate issued successfully”, but I can’t see any certificate in Rancher > Resources > Certificates


#4

I’m having the same problems. I am successfully creating the ClusterIssuer and the Certificate.
k describe certificates <my certificate>
shows:

 Events:
  Type    Reason          Age   From          Message
   ----   ------          ----  ----          -------
  Normal  CreateOrder     57s   cert-manager  Created new ACME order, attempting validation...
  Normal  DomainVerified  21s   cert-manager  Domain "xxx.xxxx.xxx" verified with "http-01" validation
  Normal  IssueCert       21s   cert-manager  Issuing certificate...
  Normal  CertObtained    18s   cert-manager  Obtained certificate from ACME server
  Normal  CertIssued      18s   cert-manager  Certificate issued successfully

But in rancher, none of my projects or namespaces are showing the certificate EXCEPT ‘default’.
But when I go into default/default namespace, the certificate shows up under “resources | certificates” but with weird data not in agreement with kubectl:

Certificate: xxxx-xxxx-xxxx-tls
Valid Beginning: 12:42 PM (Invalid date)
Expires: 12:42 PM (Invalid date)
Algorithm:
Issuer:
Serial Number:
Fingerprint:
Domain Names None

Anybody got a cluster issuer to work with let’s encrypt?


#5

Certs are a namespaced resource and belong to a single namespace and therefore one project. (Rancher also adds a feature to make certs and secrets you provide available to all namespaces in a project, by replicating them to each namespace).

Those that are created directly through the k8s API do not get the annotations that the UI is looking for with the info about the cert. https://github.com/rancher/rancher/issues/14921