New to Voyager? Please start here.

Issue Let’s Encrypt certificate using HTTP-01 challenge

Deploy Voyager operator

Deploy Voyager operator following instructions here.

# install without RBAC
curl -fsSL https://raw.githubusercontent.com/appscode/voyager/7.1.0/hack/deploy/voyager.sh \
  | bash -s -- --provider=gke

If you are trying this on a RBAC enabled cluster, pass the flag --rbac to installer script.

# install with RBAC
curl -fsSL https://raw.githubusercontent.com/appscode/voyager/7.1.0/hack/deploy/voyager.sh \
  | bash -s -- --provider=gke --rbac

Create Ingress

  1. We are going to use a nginx server as the backend. To deploy nginx server, run the following commands:
kubectl run nginx --image=nginx
kubectl expose deployment nginx --name=web --port=80 --target-port=80
  1. Now create Ingress ing.yaml
kubectl apply -f https://raw.githubusercontent.com/appscode/voyager/7.1.0/docs/examples/certificate/http/ing.yaml
  1. Wait for the LoadBlanacer ip to be assigned. Once the IP is assigned update your DNS provider to set the LoadBlancer IP as the A record for test domain kiteci.com
$ kubectl get svc  voyager-test-ingress
NAME                   CLUSTER-IP      EXTERNAL-IP      PORT(S)                      AGE
voyager-test-ingress   10.39.243.239   104.198.234.66   80:32266/TCP,443:31282/TCP   19m
  1. Now wait a bit for DNs to propagate. Run the following command to confirm DNS propagation.
$ dig +short kiteci.com
104.198.234.66
  1. Now open URL http://kiteci.com . This should show you the familiar nginx welcome page.

Create Certificate

  1. Create a secret to provide ACME user email. Change the email to a valid email address and run the following command:
kubectl create secret generic acme-account --from-literal=ACME_EMAIL=me@example.com
  1. Create the Certificate CRD to issue TLS certificate from Let’s Encrypt using HTTP challenge.
kubectl apply -f https://raw.githubusercontent.com/appscode/voyager/7.1.0/docs/examples/certificate/http/crt.yaml
  1. Now wait a bit and you should see a new secret named tls-kitecicom. This contains the tls.crt and tls.key .
$ kubectl get secrets
NAME                  TYPE                                  DATA      AGE
acme-account          Opaque                                3         20m
default-token-zj0wv   kubernetes.io/service-account-token   3         30m
tls-kitecicom         kubernetes.io/tls                     2         19m
$ kubectl describe cert kitecicom
Name:		kitecicom
Namespace:	default
Labels:		<none>
Annotations:	kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"voyager.appscode.com/v1beta1","kind":"Certificate","metadata":{"annotations":{},"name":"kitecicom","namespace":"default"},"spec":{"acmeU...
API Version:	voyager.appscode.com/v1beta1
Kind:		Certificate
Metadata:
  Cluster Name:
  Creation Timestamp:			2017-10-29T22:07:45Z
  Deletion Grace Period Seconds:	<nil>
  Deletion Timestamp:			<nil>
  Resource Version:			1376
  Self Link:				/apis/voyager.appscode.com/v1beta1/namespaces/default/certificates/kitecicom
  UID:					97d91028-bcf5-11e7-bc3f-42010a800fd5
Spec:
  Acme User Secret Name:	acme-account
  Challenge Provider:
    Http:
      Ingress:
        API Version:	voyager.appscode.com/v1beta1
        Kind:		Ingress
        Name:		test-ingress
  Domains:
    kiteci.com
Events:
  FirstSeen	LastSeen	Count	From			SubObjectPath	Type		Reason		Message
  ---------	--------	-----	----			-------------	--------	------		-------
  20m		20m		1	voyager operator			Normal		IssueSuccessful	Successfully issued certificate

If you look at the Ingress, you should see that /.well-known/acme-challenge/ path has been added to rules. It should look like this.

If you check the configmap voyager-test-ingress, you should see a key haproxy.cfg with the value similar to this.

Update Ingress to use TLS

  1. Now edit the Ingress to add spec.tls section.
$ kubectl edit ingress.voyager.appscode.com test-ingress

spec:
  tls:
  - hosts:
    - kiteci.com
    ref:
      kind: Certificate
      name: kitecicom

After editing, your Ingress should look similar to this.

  1. Now wait several seconds for HAProxy to reconfigure. If you check the configmap voyager-test-ingress, you should see a key haproxy.cfg with the value similar to this.

Now try the following commands:

$ curl -vv http://kiteci.com
* Rebuilt URL to: http://kiteci.com/
*   Trying 104.198.234.66...
* Connected to kiteci.com (104.198.234.66) port 80 (#0)
> GET / HTTP/1.1
> Host: kiteci.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Content-length: 0
< Location: https://kiteci.com/
<
* Connection #0 to host kiteci.com left intact
$ curl -vv https://kiteci.com
* Rebuilt URL to: https://kiteci.com/
*   Trying 104.198.234.66...
* Connected to kiteci.com (104.198.234.66) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 597 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: kiteci.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: CN=kiteci.com
* 	 start date: Sun, 29 Oct 2017 21:07:37 GMT
* 	 expire date: Sat, 27 Jan 2018 21:07:37 GMT
* 	 issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
* 	 compression: NULL
* ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host: kiteci.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.13.6
< Date: Sun, 29 Oct 2017 22:31:59 GMT
< Content-Type: text/html
< Content-Length: 612
< Last-Modified: Thu, 14 Sep 2017 16:35:09 GMT
< ETag: "59baafbd-264"
< Accept-Ranges: bytes
< Strict-Transport-Security: max-age=15768000
<
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
* Connection #0 to host kiteci.com left intact

Take your team where it needs to go.

Create your cluster in minutes. Our team is here to help and would be happy to chat with you.