Score:0

Kubernetes Nginx Ingress with Cert Manager and letsencrypt does not allow wildcarts in domain names

ru flag

I have a self-hosted Kubernetes cluster with an Nginx Ingress. Cert-manager is also running on the cluster, with which I try to get valid SSL certificates using Letsencrypt. It all works and I get a valid certificate for example.com, www.example.com or app1.example.com, but not for a general wildcard *.example.com. If I try in any way to enter a wildcard in my ingress under sec.tls.hosts, no certificate is generated for me. I get the output for

kubectl get certificate

NAME              READY   SECRET            AGE
tls-test-cert     False   tls-electi-cert   20h

kubectl get CertificateRequest

NAME                    APPROVED   DENIED   READY   ISSUER                REQUESTOR                                         AGE
tls-test-cert-8jw75     True                False   letsencrypt-staging   system:serviceaccount:cert-manager:cert-manager   18m

kubectl describe CertificateRequest

[...]
Status:
  Conditions:
    Last Transition Time:  2022-02-27T13:54:38Z
    Message:               Certificate request has been approved by cert-manager.io
    Reason:                cert-manager.io
    Status:                True
    Type:                  Approved
    Last Transition Time:  2022-02-27T13:54:38Z
    Message:               Waiting on certificate issuance from order gateway/tls-test-cert-8jw75-1425588341: "pending"
    Reason:                Pending
    Status:                False
    Type:                  Ready
Events:
  Type    Reason           Age   From          Message
  ----    ------           ----  ----          -------
  Normal  cert-manager.io  18m   cert-manager  Certificate request has been approved by cert-manager.io
  Normal  OrderCreated     18m   cert-manager  Created Order resource gateway/tls-test-cert-8jw75-1425588341
  Normal  OrderPending     18m   cert-manager  Waiting on certificate issuance from order gateway/tls-test-cert-8jw75-1425588341: ""

My Nginx Ingress: (I swapped my domain to example.com for this post)

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-management
  namespace: gateway
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-staging"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
  ingressClassName: nginx
  tls:
  - secretName: tls-test-cert
    hosts:
      - example.com
      - '*.example.com'
  rules:
    - host: example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: test-gateway
                port:
                  number: 80
    - host: '*.example.com'
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: test-gateway
                port:
                  number: 80

Issuer: (I've redacted my email here)

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
  namespace: cert-manager
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: *******
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
      - http01:
          ingress:
            class: nginx

My reverse proxy (test-gateway) definitely works and forwards all subdomains to my website. Thanks in advance for any ideas as to what might be causing this.

in flag
Hi TaLeDa welcome to SF. To the best of my knowledge, [one cannot issue wildcard certs using http01 verifier](https://cert-manager.io/docs/faq/sync-secrets/#serving-a-wildcard-to-ingress-resources-in-different-namespaces-default-ssl-certificate) (since it would require unlimited http requests to proved all the `*` hosts). You'll be happier requesting a [`wildcard: true`](https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.Challenge) cert and and then just attaching it to your Ingress. Good luck!
TaLeDa avatar
ru flag
Thank you, that solved my problem. Have a nice day.
in flag
Then please [add and accept your own answer](https://serverfault.com/help/self-answer), so others can benefit from your experience -- that's the whole point of this site
Score:0
ru flag

Thanks for the help, I was able to solve my problem:

Basically, I had to find a new approach because no wild card certificate can be issued with http01. (see here: https://cert-manager.io/docs/configuration/acme/) After a little research I came to the conclusion that it makes the most sense to use a dns01 solver. Documentation can be found here: https://cert-manager.io/docs/configuration/acme/dns01/

Since the configuration of the dns01 depends heavily on your DNS provider, I will not publish my solution here, but a useful configuration can easily be found with the documentation.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.