You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.
LE issues certificates that are valid for 90 days. Voyager operator will try renewing your certificate 7 days prior to expiration. Once renewed certificates are issued, HAProxy will be automatically updated to use the new certificates.
To debug, describe the certificate object and check the events listed under it. Voyager will report any warning events under the certificate object.
kubectl describe certificate <name> --namespace <namespace>
You can also check the logs for voyager operator pod and look for anything suspicious.
kubectl logs -f <voyager-pod-name> -n kube-system
Please consult the official document on this matter: https://letsencrypt.org/docs/rate-limits/
If you are just testing Voyager and want to avoid hitting the rate limits in LE productoion environment, you have 2 options:
ACME_SERVER_URLin your acme secret in addition to your email address.
kubectl create secret generic acme-account \ [email protected] \ --from-literal=ACME_SERVER_URL=https://acme-staging.api.letsencrypt.org/directory
Given your acme email and acme server url (if provided), voyager operator will open a new LE account. Voyager will store the account data in the acme user secret under
ACME_REGISTRATION_DATA keys after the first successful registration. Any following interaction will LE will done using this account. This helps voyager to avoid performing repeated domain ownership challenged. We recommend that you keep a backup copy of the full secret. To be clear, if these keys are missing voyager will automatically register a new account with LE and use that.
$ kubectl get secrets acme-account -o yaml apiVersion: v1 data: ACME_EMAIL: dGFt29t ACME_REGISTRATION_DATA: eyJib2R5Ijp7InJlc291cmNlIjoicmVnIiwiaWQiOjI0OTc1NTYwLCJrZXkiOnsia3R5IjoiUlNBIiwibiI6IjNXRDRzY0hsUUN6N1JmbUZUNmZ3YXpIZ2UyNjhsajk5UGJmMkNwV1lSRzhlTFNHVGVBd0ZXdFVmRTRyMnItQkdjT3AtTnFtYUxBWGxGQmZTWjhtNzRnNEhPbHdPR0tYaTg1cG5hRkYxZS12MDEuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1hdXRoeiIsInRlcm1zX29mX3NlcnZpY2UiOiJodHRwczovL2xldHNlbmNyeXB0Lm9yZy9kb2N1bWVudHMvTEUtU0EtdjEuMi1Ob3ZlbWJlci0xNS0yMDE3LnBkZiJ9 ACME_USER_PRIVATE_KEY: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBM1dENHNjSGxRQ3o3UmZtRlQ2ZndhekhnZTI2OGxqOTlQYmYyQ3BXWVJHOGVMU0dUCmVBd0ZXdFVmRTRyMnIrQkdjT3ArTnFtYUxBWGxGQmZTWjhtNzRnNEhPbHdPR0tYaTg1cG5hRkYxU3hBL3BzNkMKMlZVK0tWQmtEczd6d200VmpZV1pXQUl1cDJPT3QxQjhzSE1zbmpuYm82d1dUeVh0TWZINVBoSUFxYnl0dUVKVgpWSklzUVh3WittaWVzOG9URUdIVjRldUgwVC9aL1NSZXpRNExUVExxN0UxNGZtK3FyOFV4b2FxTVhtSHFhNFA0b2svWWg0RHdieTFpelU1cDg9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== kind: Secret metadata: creationTimestamp: 2017-11-27T23:44:32Z name: acme-account namespace: default resourceVersion: "33187" selfLink: /api/v1/namespaces/default/secrets/acme-account uid: eab30248-d3cc-11e7-8b04-02cf95c35e16 type: Opaque
There are several options:
tls-***secret to your destination cluster or namespace.
The above example shows how to issue a SANS certificate with multiple domains. The only restriction is that all domains must be using the same DNS provider account. They can use different domain registrars.
Wild card certificates are not supported by Let’s Encrypt as of Nov 2017. Wildcard certificates are coming to LE in 2018. Once this is officially supported, we hope to integrate that in Voyager.
Voyager currently does not issue certificates that use OCSP stapling. See here for prior discussions.