I’m considering switching from Rancher 1.6 to Rancher 2.0, but there is still some part I’m unable to migrate, the main one being my Letencrypt certificate.
On Rancher 1.6, I’m using the Let’s Encrypt stack in the catalogue (https://github.com/janeczku/rancher-letsencrypt), but there is no Rancher 2 version yet, and the author said that he won’t port it.
Is there an alternative for Rancher 2, and if so, how to configure it with Rancher 2 ?
I’ve created a video tutorial on setting up and using cert-manager with Rancher’s nginx ingresses as well. https://www.youtube.com/watch?v=xc8Jg9ItDVk hopefully this helps you
Very interesting video. I would be great to have a Helm chart helping doing this. I’ll try to do it, as it would be a good way to learn to do a Rancher Helm Chart.
Hi @dhawton,
thx for your video. When following the tasks in the video creating Issuer and ClusterIssuer seems to work fine. But when I try to describe them I get a NotFound message from Rancher.
I´m working with a single node (server + node on one machine) in my case (server v2.0.2). Is there anybody else who has this behavior?
IE, if your Issuer and Certificate are not in default, you would need to add --namespace=(namespace) to the kubectl command to make sure it’s checking there (otherwise it looks at default).
Hi,
Should the DNS01 provider be supported on certmanager specifically? E.g. I am trying to use GoDaddy which is supported by acme, but it is not listed on the certmanager link
Yes, it must be supported by cert-manager as it’s cert manager that puts in the TXT NS records. Let’s encrypt supports all dns providers as it only makes requests.
I have a weird situation: follow the guide and the video and get able to create a ClusterIssuer and a Certificate for a given namespace, the certificate is added to the secret and showed in the ingress controller but the site continue to be served over http by the default ingress.local certificate.
Generally that happens when the certificate doesn’t match the host for the site requested. If the ingress can’t find a certificate, it serves the default. Try readding the ingress and checking the certificate request thoroughly.
@dhawton, just another massive thanks for your video. I’m new to rancher and k8s, and was totally overwhelmed trying to get this working until I came across this thread. Thanks so much for going over everything in such detail (especially things like pointing out that cert-manager certs look “broken” in rancher). I now understand really well how all these different parts work and really want to thank you for all the time and thought you put into the video.
Also, in case it helps others, for whatever reason, when editing my ingress, in the “SSL” section, it always said “No certificates”. But when creating a new ingress, the certificate I’d created showed up… so I just deleted the old ingress, created a new one, and everything works perfectly (yay, my PWA finally has offline support :)).
After the manual creation of an certificate now is working for me also with a help from @dhawton ´s video, I tried to get automated annotation-based creation of the certificates working. But there I run into several problems. I tried with helm-stable cert-manager and now also with the cert-manager available in rancher-library.
My status is that I either get information that ingress will not be processed from certmanager because it doesn´t have necessary annotations or that certmanager cannot find “” issuer.