Rancher 2 and Letsencrypt

I’ve finally gotten it to work with annotations and without pre-creating the certificates. Its pretty awesome. Once I had a working cluster issuer the annotations worked exactly as documented. I dont mean to make it sound trivial, it took a lot of effort to get http01 validation working with split DNS. I’m on the latest stable v2.2.2 of Rancher. I’ll try to post more details but in short… I create an ingress in the rancher GUI with the proper annotations. I select ‘use default ingress controller certificate’. After I save the ingress I go in and manually edit the yaml to add a ‘secretName’ under the tls section. After I save this, cert-manager does the rest of its automagic. I highly recommend following the logs of the cert-manager pod while you are troubleshooting. It should give you good info on what’s happening in the background.

2 Likes

2stacks, can you walk through a bit more detail? This is not working for us.

I’m still planning to document my steps just haven’t had time. Is there anything you can tell me about your environment and any errors you see that I can help with until then? Most of the issues Ive seen are DNS and port 80 reachability related.

Here it is. It’s not pretty and I’ll work to clean up the formatting but if you’re impatient you can follow my steps here.

1 Like

Hi, very nice :slight_smile: but add

"I am pretty sure you should be able to use the staging cert without it giving an error in the browser.

This is not true. Staging certificates are not trusted by the browser and the therefore you are expected to see the certificate warning."

I’am using duckdns and it supports wildcard like *.my.duckdns.org
Where do I enter it in Rancher?

If you want letsencrypt to issue a wild card certificate you have to use dns01 verification. In Rancher you would add *.my.duckdns.org as a host in the Ingess configuration section. See link below.

1 Like

Is it possible to repost the video? It looks to be unavailable on YouTube now.

Thanks.D.