Kubernetes certbot standalone not working
First, be aware your Job
definition is valid, but the spec.template.metadata.labels.app: certbot-generate
value does not match with your Service
definition spec.selector.app: certbot-generator
: one is certbot-generate
, the second is certbot-generator
. So the pod run by the job controller is never added as an endpoint to the service.
Adjust one or the other, but they have to match, and that might just work :)
Although, I'm not sure using a Service
with a selector targeting short-lived pods from a Job
controller would work, neither with a simple Pod
as you tested. The certbot-randomId
pod created by the job (or whatever simple pod you create) takes about 15 seconds total to run/fail, and the HTTP validation challenge is triggered after just a few seconds of the pod life: it's not clear to me that would be enough time for kubernetes proxying to be already working between the service and the pod.
We can safely assume that the Service
is actually working because you mentioned that you tested DNS resolution, so you can easily ensure that's not a timing issue by adding a sleep 10
(or more!) to give more time for the pod to be added as an endpoint to the service and being proxied appropriately before the HTTP challenge is triggered by certbot. Just change your Job
command and args for those:
command: ["/bin/sh"]args: ["-c", "sleep 10 && certbot certonly --noninteractive --agree-tos --staging --standalone -d staging.ishankhare.com -m me@ishankhare.com"]
And here too, that might just work :)
That being said, I'd warmly recommend you to use cert-manager which you can install easily through its stable Helm chart: the Certificate
custom resource that it introduces will store your certificate in a Secret
which will make it straightforward to reuse from whatever K8s resource, and it takes care of renewal automatically so you can just forget about it all.