When I try configuring TLS Let's Encrypt certificates for my cluster application with a NGINX Ingress controller and cert-manager, something goes wrong with the ClusterIssuer.
My ClusterIssuer is defined as followed:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: user@example.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
When I check out the clusterissuer via kubectl, it says that the ClusterIssuer is READY.
$ kubectl get clusterissuer --namespace mynamespace
Response:
NAME READY AGE
letsencrypt-prod True 13s
But when I describe the ClusterIssuer I get an error.
$ kubectl describe clusterissuer letsencrypt-prod --namespace mynamespace
Response:
Error from server: conversion webhook for cert-manager.io/v1alpha2, Kind=ClusterIssuer failed: Post https://cert-manager-webhook.cert-manager.svc:443/convert?timeout=30s: service "cert-manager-webhook" not found
I installed cert-manager with Helm 3 with manually adding the CRDs.
How to solve this?
The cert-manager chart does not accept different namespacing when the CRDs are applied manually to your cluster. Instead of applying them manually first, install the CRDs as part of the Helm 3 release.
$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update
$ helm install \
cert-manager jetstack/cert-manager \
--namespace mynamespace \
--version v0.15.1 \
--set installCRDs=true