Getting a Certificate through Let’s Encrypt
Let’s Encrypt is a certificate authority that provides free SSL/TLS certificates via an automated process. Their certificates are accepted by most of today’s browsers.
On APPUiO Cloud we provide you with a cert-manager setup which you can use to create, sign, install and renew certificates for your domains running on APPUiO Cloud.
To create a certificate for a FQDN in your domain, you need to create a CNAME record in your domain’s DNS pointing to your APPUiO Zone’s well-defined
For example in BIND:
www IN CNAME cname.cloudscale-lpg-0.appuio.cloud. (1)
|1||The trailing dot is required to stop resolvers trying to resolve the cname with their configured search domains.|
You can find the correct target domain in Zones.
Always create an
Securing an Ingress
A common use-case for cert-manager is requesting TLS certificates to secure your ingress resources. This can be done by simply adding annotations to your ingress resources and cert-manager will facilitate creating the Certificate resource for you.
The following example will request a certificate for
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-production (1) name: myingress namespace: mynamespace (2) spec: rules: - host: example.com http: paths: - pathType: Prefix path: / backend: service: name: myservice port: number: 80 tls: (3) - hosts: - example.com secretName: myingress-cert (4)
|1||Add an annotation indicating the issuer to use.|
|2||Change this to the name of the namespace you want that object to be created in.|
|3||Placing a host in the TLS config will determine what ends up in the cert’s subjectAltNames.|
|4||The created certificate is stored in this secret.|
The TLS certificate
Secret is automatically created by the
type set to
If you need to create the
Secret yourself, you will have to set the same
type and set the
data field with
Secret isn’t defined with the type
Ingress won’t be able to automatically create the corresponding
Take a look at the upstream documentation for further information on how to secure ingresses.
We don’t support requesting TLS certificates for OpenShift
Issuing a Certificate
You can also use our cert-manager setup for general purpose certificates not directly linked to an
This can for example be helpful for terminating TLS directly at the pod.
To do this you’ll still need to setup the correct CNAME.
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: my-cert spec: dnsNames: (1) - 'my-domain.example.com' issuerRef: (2) kind: ClusterIssuer name: letsencrypt-production secretName: my-cert (3)
|1||For which domains the certificate will be valid for.|
|2||Reference to the issuer to use.|
|3||The created certificate is stored in this secret.|
The upstream documentation can give you more details on
Let’s Encrypt Staging Issuer
We highly recommend testing against the Let’s Encrypt staging environment and use it for any non-production workloads. This will allow you to get things right before issuing trusted certificates and reduce the chance of you running up against rate limits.
You can use this Issuer by referencing the
Ingress objects this means changing the
For certificate resources this means changing
Using a Custom Issuer
You have the option to configure your own certificate issuer.
This allows you to securely use a
DNS01 ACME solver or use any other external issuers.
DNS01 based solver will for example allow you to request wildcard certificates.
Take a look at the official cert-manager documentation for an in-depth explanation on issuers.
We give an example configuration for a
DNS01 based issuer using Cloudflare as provider.
If you want to use a
See the cert-manager documentation for a list of supported DNS providers.
First make a Kubernetes secret containing a Cloudflare API token with the necessary permissions:
apiVersion: v1 kind: Secret metadata: name: cloudflare-api-token-secret namespace: your-namespace type: Opaque stringData: api-token: <API Token>
Then create a new
Issuer in your namespace referencing the secret.
apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: custom-issuer namespace: your-namespace spec: acme: solvers: - dns01: cloudflare: email: email@example.com apiTokenSecretRef: name: cloudflare-api-token-secret key: api-token
With this in place you can now create certificates using your custom issuer.
Similarly to using the default issuer you can do this through an
Ingress or a
The API token
Ingress objects you need to replace the
cert-manager.io/cluster-issuer annotation with:
Certificate objects will need to reference the local custom issuer instead of the cluster wide issuer.
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: my-cert spec: dnsNames: - 'my-domain.example.com' issuerRef: kind: Issuer name: custom-issuer secretName: my-cert
When setting up a custom