Cert-manager and boulder

Help
1

Hello,

I am trying to use cert-manager with boulder to test ACME certificates. I am getting the following error when I try to create an issuer:

kubectl describe issuers.cert-manager.io letsencrypt-staging-local
Name:         letsencrypt-staging-local
Namespace:    default
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"cert-manager.io/v1alpha2","kind":"Issuer","metadata":{"annotations":{},"name":"letsencrypt-staging-local","namespace":"defa...
API Version:  cert-manager.io/v1alpha2
Kind:         Issuer
Metadata:
  Creation Timestamp:  2019-11-13T19:04:23Z
  Generation:          1
  Resource Version:    23122
  Self Link:           /apis/cert-manager.io/v1alpha2/namespaces/default/issuers/letsencrypt-staging-local
  UID:                 2b1a62bc-cac8-4460-8065-2125256a9407
Spec:
  Acme:
    Email:  example@gmail.com
    Private Key Secret Ref:
      Name:  letsencrypt-staging-local
    Server:  http://localhost:4001/directory
    Solvers:
      http01:
        Ingress:
          Class:  nginx
Status:
  Acme:
  Conditions:
    Last Transition Time:  2019-11-13T19:04:23Z
    Message:               Failed to verify ACME account: Get http://localhost:4001/directory: dial tcp [::1]:4001: connect: connection refused
    Reason:                ErrRegisterACMEAccount
    Status:                False
    Type:                  Ready
Events:
  Type     Reason                Age                From          Message
  ----     ------                ----               ----          -------
metadata:
  Warning  ErrVerifyACMEAccount  23s (x3 over 28s)  cert-manager  Failed to verify ACME account: Get http://localhost:4001/directory: dial tcp [::1]:4001: connect: connection refused
  Warning  ErrInitIssuer         23s (x3 over 28s)  cert-manager  Error initializing issuer: Get http://localhost:4001/directory: dial tcp [::1]:4001: connect: connection refused

and here is my issuer yml file

apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: letsencrypt-staging-local
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: example@gmail.com
    server: http://localhost:4001/directory
    privateKeySecretRef:
      # Secret resource used to store the account's private key.
      name: letsencrypt-staging-local
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
       - http01:
            ingress:
                     nginx
2

:wave: Hi @adibrastegarnia, welcome to the community forum.

I suspect this isn't the correct server address to use because the Boulder instance won't be local to the container that cert-manager is running in. I'm not familiar enough with either cert-manager or k8s to know for certain but I'd expect you would need to provide a FQDN/IP address external to the k8s cluster where the Boulder WFE2 instance is running.

1 Like
3

@cpu I think you are right. I should check a few things and then get back to you if that works.

2 Likes
4

One other thought: depending on your needs you might find it easier to use Pebble instead of Boulder. It’s much simpler and easier to get going. I also know the Cert-manager developers use Pebble for their own end-to-end integration tests so it should be pretty easy to get going in your env. by consulting the cert-manager source code.

2 Likes
5

Thanks for the pointer. I will take a look.

2 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.