kube100 icon indicating copy to clipboard operation
kube100 copied to clipboard

Published 20 hours ago verified publisher icon civo

Express js example not working with letsencrypt

Open danielschlegel opened this issue 3 years ago • 1 comments

What i have done. Following the guide here: https://www.civo.com/learn/get-a-tls-certificate-for-your-application-with-jetstack-s-cert-manager

cd /tmp
git clone https://github.com/alexellis/expressjs-k8s
cd expressjs-k8s
kubectl apply -f ./yaml/dep.yaml
kubectl apply -f ./yaml/svc.yaml

echo "apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: expressjs
  annotations:
    kubernetes.io/tls-acme: \"true\"
    cert-manager.io/issuer: letsencrypt-pro
    kubernetes.io/ingress.class: \"traefik\"
spec:
  tls:
  - hosts:
    - expressjs.example.com
    secretName: expressjs-secret
  rules:
  - host: expressjs.example.com
    http:
      paths:
      - backend:
          service:
            name: expressjs
            port:
              number: 8080
        path: /
        pathType: Prefix" > /tmp/expressjs-k8s/ingress.yml


kubectl apply -f /ingress.yml

example.com is replaced on my local machine. Cert-manager is installed and the letsencrypt-pro issuer does exist on my cluster as a ClusterIssuer.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"cert-manager.io/v1","kind":"ClusterIssuer","metadata":{"annotations":{},"name":"letsencrypt-pro"},"spec":{"acme":{"email":"[email protected]","privateKeySecretRef":{"name":"letsencrypt-pro"},"server":"https://acme-v02.api.letsencrypt.org/directory","solvers":[{"http01":{"ingress":{"class":"traefik"}},"selector":{}}]}}}
  creationTimestamp: "2021-07-09T06:47:05Z"
  generation: 1
  name: letsencrypt-pro
  resourceVersion: "1012"
  uid: b93d1b59-f21b-4183-b6e8-f6386993ae0d
spec:
  acme:
    email: [email protected]
    preferredChain: ""
    privateKeySecretRef:
      name: letsencrypt-pro
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: traefik
      selector: {}
status:
  acme:
    lastRegisteredEmail: [email protected]
    uri: https://acme-v02.api.letsencrypt.org/acme/acct/129907932
  conditions:
  - lastTransitionTime: "2021-07-09T06:47:07Z"
    message: The ACME account was registered with the ACME server
    observedGeneration: 1
    reason: ACMEAccountRegistered
    status: "True"
    type: Ready

I would expect this to work now but i get errors in traefik pod that secret did not get found. As you see the secret traefik is trying to find is exactly the one configured in the ingress. But the secret itself has an additional number in the name. I think thats why it does not get found. Looks like cert-manager is generating the secret with a "wrong" name of traefik does not search for it the right way.

{"level":"error","msg":"Error configuring TLS for ingress default/expressjs: secret default/expressjs-secret does not exist","time":"2021-07-09T07:10:52Z"}

# secret
expressjs-secret-qgxcm   Opaque                                1      9m11s

danielschlegel avatar Jul 09 '21 07:07 danielschlegel