Rancher 2 and Letsencrypt

Hi,

I’m considering switching from Rancher 1.6 to Rancher 2.0, but there is still some part I’m unable to migrate, the main one being my Letencrypt certificate.

On Rancher 1.6, I’m using the Let’s Encrypt stack in the catalogue (https://github.com/janeczku/rancher-letsencrypt), but there is no Rancher 2 version yet, and the author said that he won’t port it.

Is there an alternative for Rancher 2, and if so, how to configure it with Rancher 2 ?

8 Likes

Check out the cert-manager in the catalog. It’s a helm chart for doing exactly that :slight_smile:

Check out this post. It probably has most of the info you might need :slight_smile: Cert-manager and Rancher 2.0?

Hi, I just installed cert-manager, but I do not know what else to do to add certificates. There is a tutorial to review.

I’ve created a video tutorial on setting up and using cert-manager with Rancher’s nginx ingresses as well. https://www.youtube.com/watch?v=xc8Jg9ItDVk hopefully this helps you

7 Likes

Very interesting video. I would be great to have a Helm chart helping doing this. I’ll try to do it, as it would be a good way to learn to do a Rancher Helm Chart.

Just trying to help. I struggled with it for a bit, and once I got it sorted wanted to show others since I’ve seen the question asked several times.

Thanks for the video.

Do you know, if on wildcard certificates, you have to specify every hosts in the TLS section? I’m struggling a bit with this.

http://forums.rancher.com/t/ingress-tls-with-wildcard-cert

1 Like

Glad to help.

My understanding is, according to https://github.com/kubernetes/ingress-nginx/issues/8, that you can use *.example.com in the hosts field.

To use it, I had to define the rule with the wildcard. The hostname in the rule must also match the hostname in the TLS config.

Here’s the YAML of what I have working on my setup.

spec:
  rules:
  - host: example.com
    http:
      paths:
      - backend:
          serviceName: ingress-89d08e42f206c06d886aeab617ea1b7f
          servicePort: 80
  - host: '*.example.com'
    http:
      paths:
      - backend:
          serviceName: ingress-ee03ffca50ad2849920b3ad055609f1d
          servicePort: 80
  tls:
  - hosts:
    - example.com
    - '*.example.com'
    secretName: example-com-tls

Hi @dhawton,
thx for your video. When following the tasks in the video creating Issuer and ClusterIssuer seems to work fine. But when I try to describe them I get a NotFound message from Rancher.

I´m working with a single node (server + node on one machine) in my case (server v2.0.2). Is there anybody else who has this behavior?

regards

@chris.ingenhaag

Are you checking the correct namespace?

IE, if your Issuer and Certificate are not in default, you would need to add --namespace=(namespace) to the kubectl command to make sure it’s checking there (otherwise it looks at default).

If you’re doing a bunch of commands in the same namespace, you can change your current context https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ by doing:

kubectl config use-context (namespace name)

Hope that is what’s doing it.

Thanks for the hint facepalm. Got it working now.

Yay ! Made it work. Now I’ve an HTTPS Rocket.Chat instance working. :slight_smile:

Hi,
Should the DNS01 provider be supported on certmanager specifically? E.g. I am trying to use GoDaddy which is supported by acme, but it is not listed on the certmanager link

Yes, it must be supported by cert-manager as it’s cert manager that puts in the TXT NS records. Let’s encrypt supports all dns providers as it only makes requests.

Hi all

I have a weird situation: follow the guide and the video and get able to create a ClusterIssuer and a Certificate for a given namespace, the certificate is added to the secret and showed in the ingress controller but the site continue to be served over http by the default ingress.local certificate.

Any help?

Thanks in advance

Yulian

Generally that happens when the certificate doesn’t match the host for the site requested. If the ingress can’t find a certificate, it serves the default. Try readding the ingress and checking the certificate request thoroughly.

Hi @dhawton, thanks for the response

Can you help me on how to read the ingress to debug the problem, I am starting my steps with kubernetes.

Thanks

Yulian

@dhawton, just another massive thanks for your video. I’m new to rancher and k8s, and was totally overwhelmed trying to get this working until I came across this thread. Thanks so much for going over everything in such detail (especially things like pointing out that cert-manager certs look “broken” in rancher). I now understand really well how all these different parts work and really want to thank you for all the time and thought you put into the video.

Also, in case it helps others, for whatever reason, when editing my ingress, in the “SSL” section, it always said “No certificates”. But when creating a new ingress, the certificate I’d created showed up… so I just deleted the old ingress, created a new one, and everything works perfectly (yay, my PWA finally has offline support :)).

After the manual creation of an certificate now is working for me also with a help from @dhawton ´s video, I tried to get automated annotation-based creation of the certificates working. But there I run into several problems. I tried with helm-stable cert-manager and now also with the cert-manager available in rancher-library.

Does anybody have a working annotation combination which automatically creates a certificate and assigns it to a existing ingress? https://cert-manager.readthedocs.io/en/latest/reference/ingress-shim.html

My status is that I either get information that ingress will not be processed from certmanager because it doesn´t have necessary annotations or that certmanager cannot find “” issuer.

regards, Christian

1 Like