https://github.com/jetstack/cert-manager
Automatic SSL certificates generated for your Kubernetes ingresses.
Cert Manager is awesome - except when you're stuck on the config or debugging why you're not getting certificates.
Free certs provided by LetsEncrypt CA integration.
ACME - Automated Certificate Management Environment.
HariSekhon/Kubernetes-configs - cert-manager
If using DNS integration you'll need a secret or a service account for Cert Manager to create the ACME challenge DNS records.
See the specific DNS configuration either in the configs above or the official docs.
eg for Cloudflare:
kubectl create secret generic cloudflare-api-token --from-literal=cloudflare-api-token="$CLOUDFLARE_TOKEN"This secret must match the the specific DNS provider's Issuer / ClusterIssuer config to source it.
If you're not getting your SSL cert or having cert warning in your browser, check Cert Manager logs:
kubectl logs -f -n cert-manager deploy/cert-managerIf you see an error like this:
E0229 18:07:30.022849 1 sync.go:126] "Failed to determine the list of Challenge resources needed for the Order" err="no configured challenge solvers can be used for this challenge" logger="cert-manager.orders" resource_name="jenkins-tls-1-2062037248" resource_namespace="jenkins" resource_kind="Order" resource_version="v1"
Start debugging the cert manager objects:
kubectl api-resources | grep certkubectl get certificaterequests -n "$NAMESPACE"output:
NAME APPROVED DENIED READY ISSUER REQUESTOR AGE
jenkins-tls-1 True False letsencrypt system:serviceaccount:cert-manager:cert-manager 1d
Get more info:
kubectl describe certificaterequests -n "$NAMESPACE"The second Message line says it's pending on the order:
Status:
Conditions:
Last Transition Time: 2024-02-26T17:54:50Z
Message: Certificate request has been approved by cert-manager.io
Reason: cert-manager.io
Status: True
Type: Approved
Last Transition Time: 2024-02-26T17:54:50Z
Message: Waiting on certificate issuance from order jenkins/jenkins-tls-1-2062037248: "pending"
Reason: Pending
Status: False
Type: Ready
Events: <none>
Investigate the order:
kubectl get orders -n "$NAMESPACE"and you see it is stuck in pending:
NAME STATE AGE
jenkins-tls-1-2062037248 pending 1d
you can tab-complete this annoying name if you've included kubectl autocomplete (done automatically in DevOps-Bash-tools environment):
kubectl describe orders -n "$NAMESPACE" jenkins-tls-1-2062037248output:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning Solver 40m (x3 over 15h) cert-manager-orders Failed to determine a valid solver configuration for the set of domains on the Order: no configured challenge solvers can be used for this challenge
Warning Solver 30m cert-manager-orders Failed to determine a valid solver configuration for the set of domains on the Order: no configured challenge solvers can be used for this challenge
Commenting out this section in the ClusterIssuer enabled it to work:
#selector:
# dnsNames:
# - domain.co.uk
# - domain.comEven though these match and have been used before. Possible bug as I've done exactly this before in production for years and it worked.
I triple checked the domain names and tried with different domains, same result.