SSL certificates from Let’s Encrypt in your Kubernetes Ingress via cert-manager

Question

I am trying to get ingress with cert-manager v0.16.0 working for let's encrypt certs. I use microk8s and have followed a couple of tutorials, none of them let me to the goal.

With this tutorialLink I am stuck at creating the Issuer and get an error message when trying to apply it:

kc apply -f clusterIssuer.yaml
namespace/cloud unchanged
Error from server (InternalError): error when creating "clusterIssuer.yaml": Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://certmgr-cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": service "certmgr-cert-manager-webhook" not found

The service can not be found, because this is not its name. Tries to find: certmgr-cert-manager-webhook, but the services name is: cert-manager-webhook. There is also not dns alias or anything that would justify that. The deployment, which create cert-manager and the webhook is this:

cert-manager-0.16.0.yaml

If I change the type of the issuer from ClusterIssuer to Issuer I got:

kc apply -f clusterIssuer.yaml
namespace/git created
error: unable to recognize "clusterIssuer.yaml": no matches for kind "Issuer" in version "cert-manager.io/v1"

Some debugging help wold be greatly appreciated.

--- Some more info clusterIssuer.yaml:

    kind: Namespace
apiVersion: v1
metadata:
  name: cloud
---
apiVersion: cert-manager.io/v1beta1
kind: Issuer
metadata:
  name: letsencrypt-staging
  namespace: cloud
spec:
  acme:
    # Staging API
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: cloud-account-key-staging
    solvers:
    - http01:
       ingress:
         class: nginx

Answer 1

Looks like cert-manager is not properly set with the CRD, you can try deleting and setting up cert-manager from official documentation once : https://cert-manager.io/docs/installation/kubernetes/

You can directly set the latest version, this single YAML contains everything CRD, deployment, svc :

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.0/cert-manager.yaml

Once YAML is applied you can check the deployment

kubectl get pods -n cert-manager

if everything running fine you can apply the configuration of cluster issuer and ingress to get the SSL/TLS certificate which will get stored into the Kubernetes secret.

here a simple and proper example of Clusterissuer and ingress YAML (do note you were trying with staging API https://acme-staging-v02.api.letsencrypt.org/directory if possible use the production server address so it proper with all browsers)

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: cluster-issuer-name
  namespace: development
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: secret-name
    solvers:
    - http01:
        ingress:
          class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx-class-name
    cert-manager.io/cluster-issuer: cluster-issuer-name
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: example-ingress
spec:
  rules:
  - host: sub.example.com
    http:
      paths:
      - path: /api
        backend:
          serviceName: service-name
          servicePort: 80
  tls:
  - hosts:
    - sub.example.com
    secretName: secret-name