You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.

New to Voyager? Please start here.

Issue Let’s Encrypt certificate using HTTP-01 challenge

Deploy Voyager operator

Install Voyager operator in your cluster following the steps here.

Create Ingress

  1. We are going to use a nginx server as the backend. To deploy nginx server, run the following commands:

    kubectl create deployment nginx --image=nginx
    kubectl expose deployment nginx --name=web --port=80 --target-port=80
  2. Now create Ingress ing.yaml

    kubectl apply -f
  3. Wait for the LoadBalancer ip to be assigned. Once the IP is assigned update your DNS provider to set the LoadBlancer IP as the A record for test domain

    $ kubectl get svc  voyager-test-ingress
    NAME                   CLUSTER-IP      EXTERNAL-IP      PORT(S)                      AGE
    voyager-test-ingress   80:32266/TCP,443:31282/TCP   19m
  4. Now wait a bit for DNS to propagate. Run the following command to confirm DNS propagation.

    $ dig +short
  5. Now open URL . This should show you the familiar nginx welcome page.

Create Certificate

  1. Create a secret to provide ACME user email. Change the email to a valid email address and run the following command:

    kubectl create secret generic acme-account [email protected]
  2. Create the Certificate CRD to issue TLS certificate from Let’s Encrypt using HTTP challenge.

    kubectl apply -f
  3. Now wait a bit and you should see a new secret named tls-kitecicom. This contains the tls.crt and tls.key. This secret must not have any dashes or other special characters.

    $ kubectl get secrets
    NAME                  TYPE                                  DATA      AGE
    acme-account          Opaque                                3         20m
    default-token-zj0wv   3         30m
    tls-kitecicom                     2         19m
    $ kubectl describe cert kitecicom
    Name:		kitecicom
    Namespace:	default
    Labels:		<none>
    API Version:
    Kind:		Certificate
      Cluster Name:
      Creation Timestamp:			2017-10-29T22:07:45Z
      Deletion Grace Period Seconds:	<nil>
      Deletion Timestamp:			<nil>
      Resource Version:			1376
      Self Link:				/apis/
      UID:					97d91028-bcf5-11e7-bc3f-42010a800fd5
      Acme User Secret Name:	acme-account
      Challenge Provider:
            API Version:
            Kind:		Ingress
            Name:		test-ingress
      FirstSeen	LastSeen	Count	From			SubObjectPath	Type		Reason		Message
      ---------	--------	-----	----			-------------	--------	------		-------
      20m		20m		1	voyager operator			Normal		IssueSuccessful	Successfully issued certificate

    If you look at the Ingress, you should see that /.well-known/acme-challenge/ path has been added to rules. It should look like this.

    If you check the configmap voyager-test-ingress, you should see a key haproxy.cfg with the value similar to this.

Update Ingress to use TLS

  1. Now edit the Ingress to add spec.tls section.

    $ kubectl edit test-ingress
      - hosts:
          kind: Secret
          name: tls-kitecicom

    After editing, your Ingress should look similar to this.

  2. Now wait several seconds for HAProxy to reconfigure. If you check the configmap voyager-test-ingress, you should see a key haproxy.cfg with the value similar to this.

    Now try the following commands:

    $ curl -vv
    * Rebuilt URL to:
    *   Trying
    * Connected to ( port 80 (#0)
    > GET / HTTP/1.1
    > Host:
    > User-Agent: curl/7.47.0
    > Accept: */*
    < HTTP/1.1 301 Moved Permanently
    < Content-length: 0
    < Location:
    * Connection #0 to host left intact
    $ curl -vv
    * Rebuilt URL to:
    *   Trying
    * Connected to ( port 443 (#0)
    * found 148 certificates in /etc/ssl/certs/ca-certificates.crt
    * found 597 certificates in /etc/ssl/certs
    * ALPN, offering http/1.1
    * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
    * 	 server certificate verification OK
    * 	 server certificate status verification SKIPPED
    * 	 common name: (matched)
    * 	 server certificate expiration date OK
    * 	 server certificate activation date OK
    * 	 certificate public key: RSA
    * 	 certificate version: #3
    * 	 subject:
    * 	 start date: Sun, 29 Oct 2017 21:07:37 GMT
    * 	 expire date: Sat, 27 Jan 2018 21:07:37 GMT
    * 	 issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
    * 	 compression: NULL
    * ALPN, server accepted to use http/1.1
    > GET / HTTP/1.1
    > Host:
    > User-Agent: curl/7.47.0
    > Accept: */*
    < HTTP/1.1 200 OK
    < Server: nginx/1.13.6
    < Date: Sun, 29 Oct 2017 22:31:59 GMT
    < Content-Type: text/html
    < Content-Length: 612
    < Last-Modified: Thu, 14 Sep 2017 16:35:09 GMT
    < ETag: "59baafbd-264"
    < Accept-Ranges: bytes
    < Strict-Transport-Security: max-age=15768000
    <!DOCTYPE html>
    <title>Welcome to nginx!</title>
        body {
            width: 35em;
            margin: 0 auto;
            font-family: Tahoma, Verdana, Arial, sans-serif;
    <h1>Welcome to nginx!</h1>
    <p>If you see this page, the nginx web server is successfully installed and
    working. Further configuration is required.</p>
    <p>For online documentation and support please refer to
    <a href=""></a>.<br/>
    Commercial support is available at
    <a href=""></a>.</p>
    <p><em>Thank you for using nginx.</em></p>
    * Connection #0 to host left intact