Due to company's security and compliance I don't have an option to open port 80 for LE certificate. From the words regarding LE http challenge, "It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates", I tried to achieve by http-to-https redirection using the redirection feature on CDN but with no luck.
I am using cert-manager as acme client for requesting ssl cert.
If anyone has success, can you please guide how did you achieve the redirection.
You should be able to use your CDN for http-to-https redirection. Why didn’t it work?
What is the ACME client and webserver you’re using?
3 Likes
Cert-manager is my ACME client along with Istio as Ingress.
There is no exclusive webserver in current case
Are you able to use the DNS Challenge to avoid using HTTP(s) port challenge?
3 Likes
No, I can't use DNS challenge too.
1 Like
It should be possible to have your CDN redirect http to https, and then have your ingress forward to cert-manager.
But without knowing more, it's not going to be possible to help you.
At a very minimum, please share the error messages you got from Let's Encrypt trying to issue the certificate.
Sharing the domain name would also be helpful for anyone diagnosing. So would sharing your cert-manager configuration.
Additionally, you may get more help in the cert-manager communities like their Slack.
3 Likes
You do have to perform http-01 on port 443 if you do that. I don't know how to tell cert-manager to do that.
Did you do that?
3 Likes
I am not sure if I understood the concept of https redirection.
Currently we have a firewall infront of k8s cluster where services exposed with internal load balancer. Basically the way traffic routed is Firewall --> Internal LB --> Services in K8s. As we are using Istio as service mesh, we are trying to leverage cert-manager for certificate management.
Now I am planning to use CDN infront of Firewall for https redirection before the traffic reaches Firewall.
I just see that the validation is pending from below logs:
43s Normal Created order/certtest-1-3687962408 Created Challenge resource "certtest-1-3687962408-1096338531" for domain "testforssl.awscloud.org.uk"
43s Normal WaitingForApproval certificaterequest/certtest-1 Not signing CertificateRequest until it is Approved
43s Normal WaitingForApproval certificaterequest/certtest-1 Not signing CertificateRequest until it is Approved
43s Normal WaitingForApproval certificaterequest/certtest-1 Not signing CertificateRequest until it is Approved
43s Normal WaitingForApproval certificaterequest/certtest-1 Not signing CertificateRequest until it is Approved
43s Normal WaitingForApproval certificaterequest/certtest-1 Not signing CertificateRequest until it is Approved
43s Normal cert-manager.io certificaterequest/certtest-1 Certificate request has been approved by cert-manager.io
43s Normal OrderCreated certificaterequest/certtest-1 Created Order resource istio-system/certtest-1-3687962408
43s Normal OrderPending certificaterequest/certtest-1 Waiting on certificate issuance from order istio-system/certtest-1-3687962408: ""
44s Normal Issuing certificate/certtest Issuing certificate as Secret does not exist
43s Normal Generated certificate/certtest Stored new private key in temporary Secret resource "certtest-9glsz"
43s Normal Requested certificate/certtest Created new CertificateRequest resource "certtest-1"
On the CDN side, I wrote 2 rules, i.e.
- one rule for redirecting http traffic to https
- Another rule for forwarding https traffic to Firewall IP (Firewall IP is configured with port 443 DNAT'ed to Internal IP of LB (port 43).
Let me know if I am missing any logic, or a better way to debug.
I dont think it is possible to request http-01 over 443 port.
If it only accessed by CDN , Can CDN get own certificate?
Most CDN provider will have concept of origin certificate that trusted just by you and them
Example s
3 Likes
If you redirect at the cdn, you might have to.
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.