You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
New to Voyager? Please start here.
Issue Let’s Encrypt certificate using HTTP-01 challenge
Deploy Voyager operator
Install Voyager operator in your cluster following the steps here.
Create Ingress
We are going to use a nginx server as the backend. To deploy nginx server, run the following commands:
kubectl run nginx --image=nginx kubectl expose deployment nginx --name=web --port=80 --target-port=80Now create Ingress
ing.yamlkubectl apply -f https://raw.githubusercontent.com/appscode/voyager/v12.0.0/docs/examples/certificate/http/ing.yamlWait for the LoadBalancer ip to be assigned. Once the IP is assigned update your DNS provider to set the LoadBlancer IP as the A record for test domain
kiteci.com$ kubectl get svc voyager-test-ingress NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE voyager-test-ingress 10.39.243.239 104.198.234.66 80:32266/TCP,443:31282/TCP 19mNow wait a bit for DNS to propagate. Run the following command to confirm DNS propagation.
$ dig +short kiteci.com 104.198.234.66Now open URL http://kiteci.com . This should show you the familiar nginx welcome page.
Create Certificate
Create a secret to provide ACME user email. Change the email to a valid email address and run the following command:
kubectl create secret generic acme-account [email protected]Create the Certificate CRD to issue TLS certificate from Let’s Encrypt using HTTP challenge.
kubectl apply -f https://raw.githubusercontent.com/appscode/voyager/v12.0.0/docs/examples/certificate/http/crt.yamlNow wait a bit and you should see a new secret named
tls-kitecicom. This contains thetls.crtandtls.key. This secret must not have any dashes or other special characters.$ kubectl get secrets NAME TYPE DATA AGE acme-account Opaque 3 20m default-token-zj0wv kubernetes.io/service-account-token 3 30m tls-kitecicom kubernetes.io/tls 2 19m$ kubectl describe cert kitecicom Name: kitecicom Namespace: default Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"voyager.appscode.com/v1beta1","kind":"Certificate","metadata":{"annotations":{},"name":"kitecicom","namespace":"default"},"spec":{"acmeU... API Version: voyager.appscode.com/v1beta1 Kind: Certificate Metadata: Cluster Name: Creation Timestamp: 2017-10-29T22:07:45Z Deletion Grace Period Seconds: <nil> Deletion Timestamp: <nil> Resource Version: 1376 Self Link: /apis/voyager.appscode.com/v1beta1/namespaces/default/certificates/kitecicom UID: 97d91028-bcf5-11e7-bc3f-42010a800fd5 Spec: Acme User Secret Name: acme-account Challenge Provider: Http: Ingress: API Version: voyager.appscode.com/v1beta1 Kind: Ingress Name: test-ingress Domains: kiteci.com Events: FirstSeen LastSeen Count From SubObjectPath Type Reason Message --------- -------- ----- ---- ------------- -------- ------ ------- 20m 20m 1 voyager operator Normal IssueSuccessful Successfully issued certificateIf you look at the Ingress, you should see that
/.well-known/acme-challenge/path has been added to rules. It should look like this.If you check the configmap
voyager-test-ingress, you should see a keyhaproxy.cfgwith the value similar to this.
Update Ingress to use TLS
Now edit the Ingress to add
spec.tlssection.$ kubectl edit ingress.voyager.appscode.com test-ingress spec: tls: - hosts: - kiteci.com ref: kind: Secret name: tls-kitecicomAfter editing, your Ingress should look similar to this.
Now wait several seconds for HAProxy to reconfigure. If you check the configmap
voyager-test-ingress, you should see a keyhaproxy.cfgwith the value similar to this.Now try the following commands:
$ curl -vv http://kiteci.com * Rebuilt URL to: http://kiteci.com/ * Trying 104.198.234.66... * Connected to kiteci.com (104.198.234.66) port 80 (#0) > GET / HTTP/1.1 > Host: kiteci.com > User-Agent: curl/7.47.0 > Accept: */* > < HTTP/1.1 301 Moved Permanently < Content-length: 0 < Location: https://kiteci.com/ < * Connection #0 to host kiteci.com left intact$ curl -vv https://kiteci.com * Rebuilt URL to: https://kiteci.com/ * Trying 104.198.234.66... * Connected to kiteci.com (104.198.234.66) port 443 (#0) * found 148 certificates in /etc/ssl/certs/ca-certificates.crt * found 597 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 * server certificate verification OK * server certificate status verification SKIPPED * common name: kiteci.com (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: CN=kiteci.com * start date: Sun, 29 Oct 2017 21:07:37 GMT * expire date: Sat, 27 Jan 2018 21:07:37 GMT * issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3 * compression: NULL * ALPN, server accepted to use http/1.1 > GET / HTTP/1.1 > Host: kiteci.com > User-Agent: curl/7.47.0 > Accept: */* > < HTTP/1.1 200 OK < Server: nginx/1.13.6 < Date: Sun, 29 Oct 2017 22:31:59 GMT < Content-Type: text/html < Content-Length: 612 < Last-Modified: Thu, 14 Sep 2017 16:35:09 GMT < ETag: "59baafbd-264" < Accept-Ranges: bytes < Strict-Transport-Security: max-age=15768000 < <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html> * Connection #0 to host kiteci.com left intact