Search code examples
kuberneteslets-encryptkubernetes-helmkubernetes-ingresscert-manager

How to automate Let's Encrypt certificate renewal in Kubernetes with cert-manager on a bare-metal cluster?

I would like to access my Kubernetes bare-metal cluster with an exposed Nginx Ingress Controller for TLS termination. To be able to automate certificate renewal, I would like to use the Kubernetes addon cert-manager, which is kube-lego's successor.

What I have done so far:

  • Set up a Kubernetes (v1.9.3) cluster on bare-metal (1 master, 1 minion, both running Ubuntu 16.04.4 LTS) with kubeadm and flannel as pod network following this guide.

  • Installed nginx-ingress (chart version 0.9.5) with Kubernetes package manager helm
    helm install --name nginx-ingress --namespace kube-system stable/nginx-ingress --set controller.hostNetwork=true,rbac.create=true,controller.service.type=ClusterIP

  • Installed cert-manager (chart version 0.2.2) with helm
    helm install --name cert-manager --namespace kube-system stable/cert-manager --set rbac.create=true

The Ingress Controller is exposed successfully and works as expected when I test with an Ingress resource. For proper Let's Encrypt certificate management and automatic renewal with cert-manager I do first of all need an Issuer resource. I created it from this acme-staging-issuer.yaml:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: letsencrypt-staging
  namespace: default
spec:
  acme:
    server: https://acme-staging.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-staging
    http01: {}

kubectl create -f acme-staging-issuer.yaml runs successfully but kubectl describe issuer/letsencrypt-staging gives me:

Status:
  Acme:
    Uri:  
  Conditions:
    Last Transition Time:  2018-03-05T21:29:41Z
    Message:               Failed to verify ACME account: Get https://acme-staging.api.letsencrypt.org/directory: tls: oversized record received with length 20291
    Reason:                ErrRegisterACMEAccount
    Status:                False
    Type:                  Ready
Events:
  Type     Reason                Age               From                     Message
  ----     ------                ----              ----                     -------
  Warning  ErrVerifyACMEAccount  1s (x11 over 7s)  cert-manager-controller  Failed to verify ACME account: Get https://acme-staging.api.letsencrypt.org/directory: tls: oversized record received with length 20291
  Warning  ErrInitIssuer         1s (x11 over 7s)  cert-manager-controller  Error initializing issuer: Get https://acme-staging.api.letsencrypt.org/directory: tls: oversized record received with length 20291

Without a ready Issuer, I can not proceed to generate cert-manager Certificates or utilse the ingress-shim (for automatic renewal).

What am I missing in my setup? Is it sufficient to expose the ingress controller using hostNetwork=true or is there a better way to expose the its ports 80 and 443 on a bare-metal cluster? How can I resolve tls: oversized record received error when creating a cert-manager Issuer resource?

Solution

  • The tls: oversized record received error was caused by a misconfigured /etc/resolv.conf of the Kubernetes minion. It could be resolved by editing it like this:

    $ sudo vi /etc/resolvconf/resolv.conf.d/base

    Add nameserver list:

    nameserver 8.8.8.8
nameserver 8.8.4.4

    Update resolvconf:

    $ sudo resolvconf -u