You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.

New to Voyager? Please start here.

Issue Let’s Encrypt certificate using HTTP-01 challenge with cert-manager

1. Setup Issuer/ClusterIssuer

Setup a ClusterIssuer (Or Issuer) for your Ingress by applying this clusterissuer.yaml

kind: ClusterIssuer
  name: letsencrypt-staging
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
      # Secret resource used to store the account's private key.
      name: example-issuer-account-key
    # Add a single challenge solver, HTTP01 using nginx
      - http01:
            name: test-ingress

Here test-ingress is the name of ingress you’re going to create.

IngressClass or IngressName?

If the ingressClass field is specified, cert-manager will create new Ingress resources in order to route traffic to the ‘acmesolver’ pods, which are responsible for responding to ACME challenge validation requests. If the field is specified, cert-manager will edit the named ingress resource in order to solve HTTP01 challenges. Since Voyager allocates a separate external IP for each Ingress resource, use mechanism for Voyager.

2. Create Ingress

We are going to use a nginx server as the backend. To deploy nginx server, run the following commands:

kubectl run nginx --image=nginx
kubectl expose deployment nginx --name=web --port=80 --target-port=80

Now create your ingress by applying ingress.yaml

kind: Ingress
  name: test-ingress
  namespace: default
  annotations: voyager "letsencrypt-staging" http01
    - hosts:
      secretName: quickstart-kiteci-tls
    - http:
          - backend:
                name: web
                  number: 80
            path: /

Then you’ll see that a Certificate crd is created automatically for this ingress

kubectl get --all-namespaces

But the certificate is still invalid.

Now take the EXTERNAL-IP from the corresponding service:

kubectl get svc
NAMESPACE       NAME                                          TYPE           CLUSTER-IP     EXTERNAL-IP       PORT(S)                      AGE
default         voyager-test-ingress                        LoadBalancer     80:31919/TCP,443:32751/TCP   44s

Create an A-record for mapped to

Wait till this is resolved:

dig +short

Describe that certificate and wait until you see Certificate issued successfully when you describe the certificate.

kubectl describe quickstart-kiteci-tls

Let’s Encrypt does not support issuing wildcard certificates with HTTP-01 challenges. To issue wildcard certificates, you must use the DNS-01 challenge.

The dnsNames field specifies a list of Subject Alternative Names to be associated with the certificate. If the commonName field is omitted, the first element in the list will be the common name.