Open in app

Sign in

Write

Sign in

Quick Setup: Configuring Wildcard Certificate Issuer using LetsEncrypt & AWS Route 53 on Kubernetes using Cert Manager

Neeraj Swarnkar
3 min readJun 6, 2021

This is for Kubernetes Administrator who struggles to manage wildcard certificates for your websites. Those who are new to cert manager, can find enough information on https://cert-manager.io/docs/installation/kubernetes/

We typically addressing AWS Route53 based Domain name service, which can be used to ACME based verification.

Prerequisites:

  1. Create IAM programmatic user with AmazonRoute53DomainsFullAccess and AmazonRoute53FullAccess. Please note down the access key and secret key, lets refer it as “ROUTE53_ACCESS_KEY” and “ROUTE53_SECRET_KEY”.
  2. You have already setup hosted zone for domain name.( check AWS documentation for Route53)

Install Cert Manager

  1. Please choose latest version which is supported on your kubernetes. I used version v1.3.1 of cert manager, while we are having kubernetes cluster with version v1.18.18 .
  2. You can use following script to install cert manager using helm.
# Maintainer : Neeraj Swarnkar, www.snetlabs.com#Install cert manager using helm.#!/bin/bashNAME_SPACE=cert-managerkubectl create namespace $NAME_SPACEhelm repo add jetstack https://charts.jetstack.iohelm repo updatehelm install cert-manager jetstack/cert-manager --namespace $NAME_SPACE --create-namespace --version v1.3.1 --set installCRDs=true

3. In case you dont have helm or you dont want to use it, you can install directly with regular manifest, But I recommend to use helm. In case you face any issue, please use helm.

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml

Create Private key reference

Create Secret Key reference “wilcard-issuer-v2-private-key” with key “secret” and value “ROUTE53_SECRET_KEY”, which you noted above under same namespace of cert-manager. Logically which create this key so that it is available to all namespace, but I found problems with cert manager, looks it accepts the key in same namespace. Nam

Create Cluster Issuer definition based on LetsEncrypt & Deploy

apiVersion: cert-manager.io/v1alpha2kind: ClusterIssuermetadata:   name: le-wildcard-issuer   namespace: defaultspec:   acme:     server: https://acme-v02.api.letsencrypt.org/directory     email: your_email_id_you_get_alerts_expiry     privateKeySecretRef:       name: le-wildcard-issuer     solvers:     - dns01:         route53:           region: ap-northeast-1(REGION, change it if need be)           accessKeyID: ROUTE53_ACCESS_KEY(you noted above)           secretAccessKeySecretRef:             name: wilcard-issuer-v2-private-key             key: secret$ kubectl -f cluster-issuer.yaml applyOnce it is successfully deployed . you can check if issuer is ready or not, you should see Ready status as "True".$ kubectl get ClusterIssuer le-wildcard-issuer
NAME                 READY   AGE
le-wildcard-issuer   True    71m

Create Wildcard Certificate definition with name “conn-wildcard” and deploy

Create YAML based definition as below:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
   name: conn-wildcard
   namespace: your_namespace ( change it as per your deploymeny
spec:
   dnsNames:
   - '*.your_domain_name'
   issuerRef:
      kind: ClusterIssuer
      name:   le-wildcard-issuer
   secretName: conn-wildcard$ kubectl -f certificate.yaml apply
This should place a certificate request to letsencrypt , which you can further debug to check if all things are going as expected or not. To know if your certificate is ready or not ,you can use following command:
$ kubectl get certificate --namespace your_namespace conn-wildcard
NAME            READY   SECRET          AGE
conn-wildcard   True    conn-wildcard   76m
Please note that status is True, which means your certificate has been successfully issued by LetsEncrypt.
Enjoy!!
Note: you can chose name of your wilcard certificate as per your convenience instead of "conn-wildcard".

Further Troubleshooting

In case your certificate is not issued successfully, you can use following link which has information of further troubleshooting the issues.
https://cert-manager.io/docs/faq/acme/
If it does not give you exact clue or does not show any error and tells you the status as “pending”, then please check logs of cert-manager

$ kubectl get pods -A|grep cert-manager
cert-manager     cert-manager-69f64544f4-s4qs7                  1/1     Running     0          2d
cert-manager     cert-manager-cainjector-568dbf46d7-s95kz       1/1     Running     0          2d
cert-manager     cert-manager-webhook-5b87b9f8b8-6tmxt          1/1     Running     0          2d
kubectl logs cert-manager-69f64544f4-s4qs7 --namespace cert-manager|more

Happy SSL Certificate Generation !!

Neeraj Swarnkar, CEO, SNeT Labs.

Kubernetes
Ssl Certificate
Wildcard
Route 53
AWS

--

--

Neeraj Swarnkar

Written by Neeraj Swarnkar

8 Followers

CEO at SNET LABS ( www.snetlabs.com)

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams