K8s issuer and leaf certificate

systemlogic · December 1, 2018, 8:51am

Want to setup Issuer in K8s, It requires ca.crt and ca.key. Once issuer is setup, leaf certificate can be generated.
I am not able to setup Issuer with Lets encrypt. How can I get root/intermediate ca and its key from Let’s encrypt. I need steps/commands to follow.

My domain is: gcdo.in

I ran this command:
Harishs-MacBook-Air:letsEncrypt harora37$ kubectl create secret tls caakey --key=isrgrootx1.pem --cert=isrg-root-ocsp-x1.pem

It produced this output:
error: failed to load key pair tls: found a certificate rather than a key in the PEM for the private key

My web server is (include version): Kubernetes

The operating system my web server runs on is (include version): any

My hosting provider, if applicable, is: godaddy

I can login to a root shell on my machine (yes or no, or I don’t know): yes,

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

_az · December 1, 2018, 9:02am

What you’re trying to do is become a publicly trusted CA yourself, which is impossible. The ISRG X1 root key is not public, otherwise Let’s Encrypt would not be publicly trusted.

_az · December 1, 2018, 9:09am

If you are using cert-manager, perhaps you can refer to the documentation for setting up an ACME-based issuer: http://docs.cert-manager.io/en/latest/reference/issuers.html

systemlogic · December 1, 2018, 9:47am

Thanks for the link. I need something similar to

apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: letsencrypt-prod
  namespace: edge-services
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: user@example.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable HTTP01 validations
    http01: {}

Considering email will be replace with my email id. What and how to provide value to name under privateKeySecretRef

Will certificate issue using Certificate yml valid?

_az · December 1, 2018, 10:09am

I haven’t used cert-manager myself, but I think it’s just the arbitrary name of the kube secret where it will store the ACME account key.

systemlogic · December 1, 2018, 12:56pm

thanks, There is some problem and valid certificate is not applying

Harishs-MacBook-Air:letsEncrypt harora37$ kubectl describe certificate.certmanager.k8s.io/gcdo-in 
Name:         gcdo-in
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Cluster Name:        
  Creation Timestamp:  2018-12-01T11:31:10Z
  Generation:          1
  Resource Version:    3778467
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/gcdo-in
  UID:                 9a1fd7f9-f55c-11e8-931f-963727d5a4c7
Spec:
  Common Name:  gcdo.in
  Dns Names:
    www.gcdo.in
  Issuer Ref:
    Kind:       Issuer
    Name:       letsencrypt-prod
  Secret Name:  gcdo-in-tls
Status:
  Conditions:
    Last Transition Time:  2018-12-01T11:31:11Z
    Message:               spec.acme must be specified
    Reason:                InvalidConfig.   # WHY THIS ERROR
    Status:                False
    Type:                  Ready
Events:                    <none>
Harishs-MacBook-Air:letsEncrypt harora37$ kubectl describe issuer.certmanager.k8s.io/letsencrypt-prod
Name:         letsencrypt-prod
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Issuer
Metadata:
  Cluster Name:        
  Creation Timestamp:  2018-12-01T11:31:10Z
  Generation:          1
  Resource Version:    3778466
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/namespaces/default/issuers/letsencrypt-prod
  UID:                 99f708d7-f55c-11e8-931f-963727d5a4c7
Spec:
  Acme:
    Email:  someone@email.com
    Http 01:
    Private Key Secret Ref:
      Key:   
      Name:  letsencrypt-prod
    Server:  https://acme-v02.api.letsencrypt.org/directory
Status:
  Acme:
    Uri:  https://acme-v02.api.letsencrypt.org/acme/acct/xxxxxxxxx. #some number I have replaced with x
  Conditions:
    Last Transition Time:  2018-12-01T11:31:10Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

Any Idea what is wrong ? Events are not firing up.

system · December 31, 2018, 12:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.