manintheit.org

manintheit.org


Issuing Certificate with cert-manager

cert-manager is a X.509 certificate controller that allows you issue certificate from variety of certificate issuers and renew certificates automatically before they expire in your containerized environment. You can find more info about installation cert-manager

Configuration

Once cert-manager is installed first thing to be configured is Issuer or ClusterIssuer. These two resources represent Certificate Authority able to sign certificates in response to CSR. In this post certificate will be issued from Let's Encrypt. Let’s Encrypt is a non-profit organization run by Internet Security Research Group that provides X.509 at no charge.

Two ClusterIssuers will be created in Kubernetes cluster. One for Staging and other for Production. Staging issuer will be used for testing purpose without hitting the rate limit of Let’s Encrypt service.

Create Staging ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
 name: letsencrypt-staging
 namespace: cert-manager
spec:
 acme:
   # The ACME server URL
   server: https://acme-staging-v02.api.letsencrypt.org/directory
   # Email address used for ACME registration
   email: [email protected]
   # Name of a secret used to store the ACME account private key
   privateKeySecretRef:
     name: letsencrypt-staging
   # Enable the HTTP-01 challenge provider
   solvers:
   - http01:
       ingress:
         class:  traefik # ingress class name

Create Production ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: [email protected]
    preferredChain: ""
    privateKeySecretRef:
      name: letsencrypt-prod
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: traefik # ingress class name
kubectl apply -f issuer-staging.yaml -f issuer-prod.yaml
[tesla@gokicloud ~]$ kubectl get clusterissuers.cert-manager.io
NAME                  READY   AGE
letsencrypt-staging   True    29d
letsencrypt-prod      True    29d

Create Certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: manintheit
  namespace: manintheit
spec:
  secretName: manintheit-tls
  duration: 2160h # certificates issued by let's encrypt valid for 90 days.
  renewBefore: 360h # renew 15 days ago
  subject:
    organizations:
      - manintheit
  isCA: false
  privateKey:
    algorithm: ECDSA
    size: 256
  usages:
    - server auth
    - client auth
  dnsNames:
    - manintheit.org
    - www.manintheit.org
    - archive.manintheit.org
    - ghost-admin-panel.manintheit.org
    - mail.manintheit.org
  issuerRef:
    name: letsencrypt-prod  # for testing 'letsencrypt-staging'
    kind: ClusterIssuer
    group: cert-manager.io

Note: It is highly recommended to use Staging ClusterIssuer, before using Production one. Otherwise, you may hit the rate limit of Let’s encrypt due to incorrect Certificate configuration.

kubectl apply -f manintheit-certificate.yaml
[tesla@gokicloud ~]$ kubectl get certificate
NAME         READY   SECRET           AGE
manintheit   True    manintheit-tls   25d

Note: it was used http challenge as it is simpler than dns.

kubectl describe certificaterequests.cert-manager.io

...(omitted)
Status:
  Conditions:
    Last Transition Time:  2022-12-26T19:24:58Z
    Message:               Certificate request has been approved by cert-manager.io
    Reason:                cert-manager.io
    Status:                True
    Type:                  Approved
    Last Transition Time:  2022-12-26T19:24:59Z
    Message:               Waiting on certificate issuance from order manintheit/manintheit-bhr9s-828122143: "pending"
    Reason:                Pending
    Status:                False
    Type:                  Ready
Events:
  Type    Reason           Age   From                                          Message
  ----    ------           ----  ----                                          -------
  Normal  cert-manager.io  107s  cert-manager-certificaterequests-approver     Certificate request has been approved by cert-manager.io
  Normal  OrderCreated     107s  cert-manager-certificaterequests-issuer-acme  Created Order resource manintheit/manintheit-bhr9s-828122143
  Normal  OrderPending     107s  cert-manager-certificaterequests-issuer-acme  Waiting on certificate issuance from order manintheit/manintheit-bhr9s-828122143: ""
kubectl describe orders


...(omitted)
Events:
  Type    Reason    Age   From                 Message
  ----    ------    ----  ----                 -------
  Normal  Created   26s   cert-manager-orders  Created Challenge resource "manintheit-5wstw-828122143-4061762707" for domain "mail.manintheit.org"
  Normal  Complete  1s    cert-manager-orders  Order completed successfully

Certificate must be ready in a namespace defined in the Certificate resource.

[tesla@gokicloud ~]$ kubectl get secret  manintheit-tls
NAME             TYPE                DATA   AGE
manintheit-tls   kubernetes.io/tls   2      25d

Experiment:

tesla@gokicloud ~]$ kubectl get secrets manintheit-tls -o jsonpath='{.data.tls\.crt}' | base64 -d - | openssl x509 -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:d9:53:42:25:c6:83:74:e5:81:56:40:4e:e3:a9:0a:92:90
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: Dec 26 19:17:22 2022 GMT
            Not After : Mar 26 19:17:21 2023 GMT
        Subject: CN=manintheit.org
...(omitted)
            X509v3 Subject Alternative Name:
                DNS:archive.manintheit.org, DNS:ghost-admin-panel.manintheit.org, DNS:mail.manintheit.org, DNS:manintheit.org, DNS:www.manintheit.org


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.