I installed cert-manager with kubectl
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.0/cert-manager.yaml
I successfully obtained my resources :
my_user@vps-b123456:~$ k get all -n cert-manager
NAME READY STATUS RESTARTS AGE
pod/cert-manager-5fcfc99f7-mrjrn 1/1 Running 1 (17h ago) 25h
pod/cert-manager-cainjector-75cfc9f6b7-ntwd4 1/1 Running 3 (17h ago) 25h
pod/cert-manager-webhook-74b65dbf6f-kzp7w 1/1 Running 0 4h39m
pod/curl-deployment-6f95856b88-9cln2 1/1 Running 0 96s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/cert-manager ClusterIP 10.101.200.103 <none> 9402/TCP 25h
service/cert-manager-webhook ClusterIP 10.99.166.135 <none> 443/TCP 25h
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/cert-manager 1/1 1 1 25h
deployment.apps/cert-manager-cainjector 1/1 1 1 25h
deployment.apps/cert-manager-webhook 1/1 1 1 25h
deployment.apps/curl-deployment 1/1 1 1 3h24m
NAME DESIRED CURRENT READY AGE
replicaset.apps/cert-manager-5fcfc99f7 1 1 1 25h
replicaset.apps/cert-manager-cainjector-75cfc9f6b7 1 1 1 25h
replicaset.apps/cert-manager-webhook-74b65dbf6f 1 1 1 25h
replicaset.apps/curl-deployment-6f95856b88 1 1 1 3h24m
However, when I create a ClusterIssuer with a certificate, it seems that the ClusterIssuer registration with ACME is not working.
my_user@vps-b123456:~$ k logs cert-manager-5fcfc99f7-mrjrn -n cert-manager
...
I0605 21:25:21.806374 1 setup.go:225] "ACME server URL host and ACME private key registration host differ. Re-checking ACME account registration" logger="cert-manager.clusterissuers" resource_name="letsencrypt-prod" resource_namespace="" resource_kind="ClusterIssuer" resource_version="v1" related_resource_name="letsencrypt-prod-secret-key" related_resource_namespace="cert-manager" related_resource_kind="Secret"
E0605 21:25:21.842707 1 setup.go:265] "failed to register an ACME account" err="Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp 172.65.32.248:443: connect: connection refused" logger="cert-manager.clusterissuers" resource_name="letsencrypt-prod" resource_namespace="" resource_kind="ClusterIssuer" resource_version="v1" related_resource_name="letsencrypt-prod-secret-key" related_resource_namespace="cert-manager" related_resource_kind="Secret"
E0605 21:25:21.842746 1 sync.go:62] "error setting up issuer" err="Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp 172.65.32.248:443: connect: connection refused" logger="cert-manager.clusterissuers" resource_name="letsencrypt-prod" resource_namespace="" resource_kind="ClusterIssuer" resource_version="v1"
E0605 21:25:21.842806 1 controller.go:167] "re-queuing item due to error processing" err="Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp 172.65.32.248:443: connect: connection refused" logger="cert-manager.clusterissuers" key="letsencrypt-prod"
At the bottom of the describe output, I see that the connection was refused with ACME.
my_user@vps-b123456:~/k8s/ingress$ k get clusterissuer -n stratonation
NAME READY AGE
letsencrypt-prod False 4h19m
my_user@vps-b123456:~/k8s/ingress$ k describe clusterissuer letsencrypt-prod -n stratonation
Name: letsencrypt-prod
Namespace:
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2024-06-05T17:12:30Z
Generation: 1
Resource Version: 160637
UID: d8338116-ba4c-4f38-a8c8-e0ab6fc23d17
Spec:
Acme:
Email: [email protected]
Private Key Secret Ref:
Name: letsencrypt-prod-secret-key
Server: https://acme-v02.api.letsencrypt.org/directory
Solvers:
http01:
Ingress:
Class: nginx
Status:
Acme:
Conditions:
Last Transition Time: 2024-06-05T17:13:00Z
Message: Failed to register ACME account: Get "https://acme-v02.api.letsencrypt.org/directory": dial tcp 172.65.32.248:443: connect: connection refused
Observed Generation: 1
Reason: ErrRegisterACMEAccount
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning ErrInitIssuer 103s (x26 over 121m) cert-manager-clusterissuers Error initializing issuer: Get "https://acme-v02.api.letsencrypt.org/directory": dial tcp 172.65.32.248:443: connect: connection refused
I have all traffic open for my tests.
my_user@vps-b123456:~/k8s/ingress$ sudo iptables -L --line-number
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 cali-INPUT all -- anywhere anywhere /* cali:Cz_u1IQiXIMmKD4c */
2 ACCEPT tcp -- anywhere anywhere tcp dpt:https
3 KUBE-FIREWALL all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 cali-FORWARD all -- anywhere anywhere /* cali:wUHhoiAYhphO9Mso */
2 FLANNEL-FWD all -- anywhere anywhere /* flanneld forward */
3 ACCEPT all -- anywhere anywhere /* cali:S93hcgKJrXEqnTfs */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000
4 MARK all -- anywhere anywhere /* cali:mp77cMpurHhyjLrM */ MARK or 0x10000
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 cali-OUTPUT all -- anywhere anywhere /* cali:tVnHkvAo15HuiPy0 */
2 KUBE-FIREWALL all -- anywhere anywhere
i have nothing insteresting in coredns logs:
my_user@vps-b123456:~/k8s/ingress$ k logs coredns-7c959b8749-wds6f -n kube-system
.:53
[INFO] plugin/reload: Running configuration SHA512 = 1738324c9bbcf1f65e6f15ff89dc70b4233e041641c7505b9e8b59c06e2693b4ec8076bc45bb8eb5bb2486f97476db226b7ffd55fead273980ea10a477458357
CoreDNS-1.10.0
linux/amd64, go1.19.1, 596a9f9
here is my ClusterIssuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: stratonation
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: letsencrypt-prod-secret-key
solvers:
- http01:
ingress:
class: nginx
and my certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-certificate
namespace: stratonation
spec:
secretName: letsencrypt-prod
duration: 2160h # 90 days
renewBefore: 720h # 30 days
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: exemple.com
dnsNames:
- exemple.com
privateKey:
algorithm: RSA
size: 2048
Do you have any idea?