Let's Encrypt kubernetes Ingress Controller issuing Fake Certificate

Maybe would be helpful for someone experiencing similar issues. As for me, a forgot to specify hostname in Ingress yaml file for both rules and tls sections.After duplicating the hostname, it started responding with a proper certificate.

Example:

apiVersion: networking.k8s.io/v1beta1kind: Ingressmetadata:  name: test-web-ingress  annotations:    kubernetes.io/ingress.class: nginxspec:  tls:  - hosts:    - my.host.com                # <----    secretName: tls-secret  rules:    - host: my.host.com          # <----      http:        paths:          - path: /            pathType: Prefix            backend:              serviceName: my-nginx              servicePort: 80

Sometimes it may happen if you are using the clusterissuer URL as staging URL.

Check the letsencrypt url set in you issuer.yaml or clusterissuer.yaml and change it to production url: https://acme-v02.api.letsencrypt.org/directory

I faced the same issue once and changing the url to production url solved it.

Also check that the ingress tls secrets you are using is right.

Actual cluster issuer should be something like for production :

apiVersion: cert-manager.io/v1alpha2kind: ClusterIssuermetadata:  name: dev-clusterissuerspec:  acme:    email: harsh@example.com    privateKeySecretRef:      name: dev-clusterissuer    server: https://acme-v02.api.letsencrypt.org/directory       # <----check this server URL it is for Prod and use this only    solvers:    - http01:        ingress:          class: nginx

If you are using server: https://acme-staging-v02.api.letsencrypt.org/directory you will face issue better replace it with server: https://acme-v02.api.letsencrypt.org/directory

Important to note that the ClusterIssuer spec for solvers changed. For people using cer-manager>0.7.2, this comment saved me so much time: https://github.com/jetstack/cert-manager/issues/1650#issuecomment-518953464. Specially on how to configure the ClusterIssuer and Certificate.