Install and Setup Cert-Manager for Automated SSL Certificates

Praveen Perera

September 24, 2019

2 min read

cheatsheet, dev-ops, digital-ocean, kubernetes, rancher, rancher-on-doks

Instructions

  1. Create the cert-manager namespace by going into your terminal and using kubectl. 
kubectl create namespace cert-manager
  1. Add the following label to the namespace. 
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
  1. Install cert-manager and the necessary CustomResourceDefinitions. 
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.10.0/cert-manager.yaml

  1. Go into your rancher install and add the cert-manager namespace into the System project.

  2. Create the cluster issuer.

    • See an example one using the cloudflare DNS challenge below
    • To see an example one for AWS Route53, click here 
# prod_issuer.yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: [email protected]
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - selector: {}
        dns01:
          cloudflare:
            email: [email protected]
            apiKeySecretRef:
              name: cloudflare_api_key_secret
              key: api-key

  1. Go into rancher System project, Resources and click Secrets.

  2. Add a secret that matches the yaml file from step 5. 

name = cloudflare-api-key-secret
key = api-key
value = YOUR_API_TOKEN_FROM_CLOUDFLARE

  1. Select Available to a single namespace, select the cert-manager namespace and click Save

  2. Go back into your terminal and create the cluster issuer using the template from step 5 

kubectl create --namespace=cert-manager -f prod_issuer.yaml
  1. Create the yaml file to get your SSL certificate 
# certificate.yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: yourwebsite.com
  namespace: main
spec:
  secretName: yourwebsite-com-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: "*.yourwebsite.com"
  dnsNames:
    - yourwebsite.com
    - "*.yourwebsite.com"
  1. Create the certificate using the yaml file from before 
kubectl create --namespace=main -f certificate.yaml
  1. Other useful commands 
kubectl get certificate
kubectl describe certificate yourwebsite-com-tls

kubectl describe order yourwebsite-com-tls630199403 -n main

kubectl get secret
kubectl describe secret yourwebsite-com-tls

Screencast

Resources

Get More!