I have a self-hosted Kubernetes cluster with an Nginx Ingress. Cert-manager is also running on the cluster, with which I try to get valid SSL certificates using Letsencrypt. It all works and I get a valid certificate for example.com, www.example.com or app1.example.com, but not for a general wildcard *.example.com. If I try in any way to enter a wildcard in my ingress under sec.tls.hosts, no certificate is generated for me.
I get the output for
kubectl get certificate
NAME READY SECRET AGE
tls-test-cert False tls-electi-cert 20h
kubectl get CertificateRequest
NAME APPROVED DENIED READY ISSUER REQUESTOR AGE
tls-test-cert-8jw75 True False letsencrypt-staging system:serviceaccount:cert-manager:cert-manager 18m
kubectl describe CertificateRequest
[...]
Status:
Conditions:
Last Transition Time: 2022-02-27T13:54:38Z
Message: Certificate request has been approved by cert-manager.io
Reason: cert-manager.io
Status: True
Type: Approved
Last Transition Time: 2022-02-27T13:54:38Z
Message: Waiting on certificate issuance from order gateway/tls-test-cert-8jw75-1425588341: "pending"
Reason: Pending
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal cert-manager.io 18m cert-manager Certificate request has been approved by cert-manager.io
Normal OrderCreated 18m cert-manager Created Order resource gateway/tls-test-cert-8jw75-1425588341
Normal OrderPending 18m cert-manager Waiting on certificate issuance from order gateway/tls-test-cert-8jw75-1425588341: ""
My Nginx Ingress: (I swapped my domain to example.com for this post)
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-management
namespace: gateway
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-staging"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
ingressClassName: nginx
tls:
- secretName: tls-test-cert
hosts:
- example.com
- '*.example.com'
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: test-gateway
port:
number: 80
- host: '*.example.com'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: test-gateway
port:
number: 80
Issuer: (I've redacted my email here)
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: *******
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
My reverse proxy (test-gateway) definitely works and forwards all subdomains to my website.
Thanks in advance for any ideas as to what might be causing this.
Best Answer
Thanks for the help, I was able to solve my problem:
Basically, I had to find a new approach because no wild card certificate can be issued with http01. (see here: https://cert-manager.io/docs/configuration/acme/) After a little research I came to the conclusion that it makes the most sense to use a dns01 solver. Documentation can be found here: https://cert-manager.io/docs/configuration/acme/dns01/
Since the configuration of the dns01 depends heavily on your DNS provider, I will not publish my solution here, but a useful configuration can easily be found with the documentation.