You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
New to Voyager? Please start here.
Issue Let’s Encrypt certificate using HTTP-01 challenge
Deploy Voyager operator
Deploy Voyager operator following instructions here.
# install without RBAC
curl -fsSL https://raw.githubusercontent.com/appscode/voyager/7.0.0/hack/deploy/voyager.sh \
| bash -s -- --provider=gke
If you are trying this on a RBAC enabled cluster, pass the flag --rbac
to installer script.
# install with RBAC
curl -fsSL https://raw.githubusercontent.com/appscode/voyager/7.0.0/hack/deploy/voyager.sh \
| bash -s -- --provider=gke --rbac
Create Ingress
- We are going to use a nginx server as the backend. To deploy nginx server, run the following commands:
kubectl run nginx --image=nginx
kubectl expose deployment nginx --name=web --port=80 --target-port=80
- Now create Ingress
ing.yaml
kubectl apply -f https://raw.githubusercontent.com/appscode/voyager/7.0.0/docs/examples/certificate/http/ing.yaml
- Wait for the LoadBlanacer ip to be assigned. Once the IP is assigned update your DNS provider to set the LoadBlancer IP as the A record for test domain
kiteci.com
$ kubectl get svc voyager-test-ingress
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
voyager-test-ingress 10.39.243.239 104.198.234.66 80:32266/TCP,443:31282/TCP 19m
- Now wait a bit for DNs to propagate. Run the following command to confirm DNS propagation.
$ dig +short kiteci.com
104.198.234.66
- Now open URL http://kiteci.com . This should show you the familiar nginx welcome page.
Create Certificate
- Create a secret to provide ACME user email. Change the email to a valid email address and run the following command:
kubectl create secret generic acme-account [email protected]
- Create the Certificate CRD to issue TLS certificate from Let’s Encrypt using HTTP challenge.
kubectl apply -f https://raw.githubusercontent.com/appscode/voyager/7.0.0/docs/examples/certificate/http/crt.yaml
- Now wait a bit and you should see a new secret named
tls-kitecicom
. This contains thetls.crt
andtls.key
.
$ kubectl get secrets
NAME TYPE DATA AGE
acme-account Opaque 3 20m
default-token-zj0wv kubernetes.io/service-account-token 3 30m
tls-kitecicom kubernetes.io/tls 2 19m
$ kubectl describe cert kitecicom
Name: kitecicom
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"voyager.appscode.com/v1beta1","kind":"Certificate","metadata":{"annotations":{},"name":"kitecicom","namespace":"default"},"spec":{"acmeU...
API Version: voyager.appscode.com/v1beta1
Kind: Certificate
Metadata:
Cluster Name:
Creation Timestamp: 2017-10-29T22:07:45Z
Deletion Grace Period Seconds: <nil>
Deletion Timestamp: <nil>
Resource Version: 1376
Self Link: /apis/voyager.appscode.com/v1beta1/namespaces/default/certificates/kitecicom
UID: 97d91028-bcf5-11e7-bc3f-42010a800fd5
Spec:
Acme User Secret Name: acme-account
Challenge Provider:
Http:
Ingress:
API Version: voyager.appscode.com/v1beta1
Kind: Ingress
Name: test-ingress
Domains:
kiteci.com
Events:
FirstSeen LastSeen Count From SubObjectPath Type Reason Message
--------- -------- ----- ---- ------------- -------- ------ -------
20m 20m 1 voyager operator Normal IssueSuccessful Successfully issued certificate
If you look at the Ingress, you should see that /.well-known/acme-challenge/
path has been added to rules. It should look like this.
If you check the configmap voyager-test-ingress
, you should see a key haproxy.cfg
with the value similar to this.
Update Ingress to use TLS
- Now edit the Ingress to add
spec.tls
section.
$ kubectl edit ingress.voyager.appscode.com test-ingress
spec:
tls:
- hosts:
- kiteci.com
ref:
kind: Certificate
name: kitecicom
After editing, your Ingress should look similar to this.
- Now wait several seconds for HAProxy to reconfigure. If you check the configmap
voyager-test-ingress
, you should see a keyhaproxy.cfg
with the value similar to this.
Now try the following commands:
$ curl -vv http://kiteci.com
* Rebuilt URL to: http://kiteci.com/
* Trying 104.198.234.66...
* Connected to kiteci.com (104.198.234.66) port 80 (#0)
> GET / HTTP/1.1
> Host: kiteci.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Content-length: 0
< Location: https://kiteci.com/
<
* Connection #0 to host kiteci.com left intact
$ curl -vv https://kiteci.com
* Rebuilt URL to: https://kiteci.com/
* Trying 104.198.234.66...
* Connected to kiteci.com (104.198.234.66) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 597 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: kiteci.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=kiteci.com
* start date: Sun, 29 Oct 2017 21:07:37 GMT
* expire date: Sat, 27 Jan 2018 21:07:37 GMT
* issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
* compression: NULL
* ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host: kiteci.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.13.6
< Date: Sun, 29 Oct 2017 22:31:59 GMT
< Content-Type: text/html
< Content-Length: 612
< Last-Modified: Thu, 14 Sep 2017 16:35:09 GMT
< ETag: "59baafbd-264"
< Accept-Ranges: bytes
< Strict-Transport-Security: max-age=15768000
<
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
* Connection #0 to host kiteci.com left intact