mirrors/acme2certifier
1
0
Fork 0
mirror of https://github.com/grindsa/acme2certifier.git synced 2025-12-31 01:51:01 +02:00
Code Issues Projects Releases Packages Wiki Activity
Page: Using cert manager to enroll certificate in Kubernetes environments
Pages
# How to build an acme2certifier cluster on Ubuntu 22.04 <! wiki title: DEB Installation on Ubuntu 22.04 <! wiki title: External Account Binding <! wiki title: Hooks <! wiki title: Installation on Apache2 Running on Ubuntu 22.04 <! wiki title: Installation on NGINX Running on Alma Linux 9 <! wiki title: Pass Information from ACME Client to CA Handler <! wiki title: Reporting and Housekeeping <! wiki title: Support for ACME profiling <! wiki title: Support for External Databases ACME CA handler Asynchronous Mode (`async_mode`) in acme2certifier CA Handler for Microsoft Certification Authority Web Enrollment Service CA Handler for Microsoft Windows Client Certificate Enrollment Protocol (MS WCCE) CA Handler for NetGuard Certificate Lifecycle Manager CA Handler for OpenXPKI CA Handler for XCA CA Handler for an OpenSSL based CA Stored on Local File System CA Polling to Check Pending Enrollment Requests CA Trigger CA handler for Digicert CertCentral CA handler for EJBCA CA handler for Entrust ECS Enterprise CA handler for Insta ActiveCMS CA handler for Insta CA handler for Microsoft Certification Authority Web Enrollment Service CA handler for Microsoft Windows Client Certificate Enrollment Protocol (MS WCCE) CA handler for NetGuard Certificate Lifecycle Manager CA handler for NetGuard Certificate Manager and Insta Certifier CA handler for OpenXPKI CA handler for XCA CA handler for an openssl based CA stored on local file system CA handler using CMPv2 protocol CA handler using EST protocol CA polling to check pending enrollment requests CA trigger CA‐handler for Hashicorp Vault PKI Configuration options for acme2certifier Containerized Installation Using Apache2 or Nginx as Web Server with WSGI or Django Containerized installation DEB installation on Ubuntu 22.04 Database scheme Enrollment of End User Certificates according to RFC8823 Enrollment profiling via external account binding Example commands for acme clients External Account Binding (EAB) External Account Binding Home Hooks support Hooks How to Create Your Own CA Handler How to build am acme2certifier cluster on Ubuntu 22.04 How to build an acme2certifier cluster on Alma Linux 9 How to build an acme2certifier cluster on Ubuntu 22.04 How to contribute to this project How to create your own CA Handler Installation on Apache2 Running on Ubuntu 22.04 Installation on NGINX Running on Alma Linux 9 Installation on Nginx Running on Ubuntu 22.04 Installation on nginx running on Ubuntu 22.04 Pass Information from ACME Client to CA Handler Prevalidated Domain List Feature for ACME Authorization Proxy Support in acme2certifier Proxy support in acme2certifier RPM Installation on AlmaLinux 9 RPM installation on Alma Linux 9 RPM installation on alma Linux 9 Reporting and Housekeeping support SOAP CA Handler Prototype SOAP CA handler protopype Security Policy Support for ACME profiling Support for External Databases Support for TNAuthList Identifier and tkauth 01 Challenges Support for TNAuthList identifier and tkauth 01 challenges Upgrading acme2certifier Using cert manager to enroll certificate in Kubernetes environments acme_srv.cfg configuration options upgrading acme2certifier vault
11 Using cert manager to enroll certificate in Kubernetes environments
grindsa edited this page 2025-06-27 15:44:18 +00:00
Table of Contents

Using cert-manager to enroll certificate in Kubernetes environments

I do not really have a full Kubernetes environment. Thus, I was using https://microk8s.io/ for testing.

Prerequisites

  • cert-manager must be installed. See instructions for further information. (I was installing with regular manifest but did change to helm to ensure that I always use the latest version)

Issuer configuration

The below steps based on instructions taken from cert-manager documentation. Cert-manager can run as Issuer or ClusterIssuer resource. The below configuration example uses Issuer resource; a ClusterIssuer configuration is part of the release regression testing both http-01 and dns-01 challenge validation.

  • Create an issuer configuration file as below
apiVersion: v1
kind: Namespace
metadata:
  name: cert-manager-acme
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: acme2certifier
  namespace: cert-manager-acme
spec:
  acme:
    email: foo@bar.local
    server: http://192.168.14.1/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: issuer-account-key
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: nginx
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: acme-cert
  namespace: cert-manager-acme
spec:
  secretName: k8-acme-secret
  issuerRef:
    name: acme2certifier
  dnsNames:
    - k8-acme.bar.local
  # optional but recommended to avoid reenrollment loops in case of short certificate lifetimes
  renewBefore: 48h
  • apply the configuration. Certificate enrollment should start immediately
grindsa@ub-20:~$ microk8s.kubectl apply -f acme2certifier.yaml
  • the enrollment status can be checked via microk8s.kubectl describe certificate -n cert-manager-acme
grindsa@ub-20:~$ microk8s.kubectl describe certificate -n cert-manager-acme
Name:         acme-cert
Namespace:    cert-manager-acme
Labels:       <none>
Annotations:  API Version:  cert-manager.io/v1alpha3
Kind:         Certificate
...
Spec:
  Dns Names:
    k8-acme.bar.local
  Issuer Ref:
    Name:       acme2certifier
  Secret Name:  acme2certifier-secret
Status:
  Conditions:
    Last Transition Time:  2020-06-28T07:36:05Z
    Message:               Certificate is up to date and has not expired
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2021-06-28T07:35:53Z
Events:
  Type    Reason        Age   From          Message
  ----    ------        ----  ----          -------
  Normal  GeneratedKey  60s   cert-manager  Generated a new private key
  Normal  Requested     60s   cert-manager  Created new CertificateRequest resource "acme-cert-3129588559"
  Normal  Issued        58s   cert-manager  Certificate issued successfully
  • the certificate details can be checked by using the command microk8s.kubectl get certificate acme-cert -o yaml -n cert-manager-acme
  • You can check the private key with microk8s.kubectl get secret acme-cert-key -o yaml -n cert-manager-acme. You should see a base64 encoded key in the tls.key field.
  • certificate, issuer and namespace can be deleted with microk8s.kubectl delete -f acme2certifier.yaml

Troubleshooting

There are extensive troubleshooting guides at the cert-manager website.

Below is a list of commands I that I found most useful:

  • kubectl get order -n <name-space> - to get the list of orders
  • kubectl describe order -n <name-space> <order> - to display the details of an order
  • kubectl describe challenge -n <name-space> - show challenges and provisioning status