Let's Encrypt kubernetes Ingress Controller issuing Fake Certificate
Maybe would be helpful for someone experiencing similar issues. As for me, a forgot to specify hostname in Ingress yaml file for both rules
and tls
sections.After duplicating the hostname, it started responding with a proper certificate.
Example:
apiVersion: networking.k8s.io/v1beta1kind: Ingressmetadata: name: test-web-ingress annotations: kubernetes.io/ingress.class: nginxspec: tls: - hosts: - my.host.com # <---- secretName: tls-secret rules: - host: my.host.com # <---- http: paths: - path: / pathType: Prefix backend: serviceName: my-nginx servicePort: 80
Sometimes it may happen if you are using the clusterissuer URL as staging URL.
Check the letsencrypt url set in you issuer.yaml or clusterissuer.yaml and change it to production url: https://acme-v02.api.letsencrypt.org/directory
I faced the same issue once and changing the url to production url solved it.
Also check that the ingress tls secrets you are using is right.
Actual cluster issuer should be something like for production :
apiVersion: cert-manager.io/v1alpha2kind: ClusterIssuermetadata: name: dev-clusterissuerspec: acme: email: harsh@example.com privateKeySecretRef: name: dev-clusterissuer server: https://acme-v02.api.letsencrypt.org/directory # <----check this server URL it is for Prod and use this only solvers: - http01: ingress: class: nginx
If you are using server: https://acme-staging-v02.api.letsencrypt.org/directory you will face issue better replace it with server: https://acme-v02.api.letsencrypt.org/directory
Important to note that the ClusterIssuer spec for solvers changed. For people using cer-manager>0.7.2
, this comment saved me so much time: https://github.com/jetstack/cert-manager/issues/1650#issuecomment-518953464. Specially on how to configure the ClusterIssuer and Certificate.