Generate TLS certificates using ACME Issuers
Cert Manager supports issuing certificates through different Issuers. For instance, you can use a public ACME (Automated Certificate Management Environment) server to issue the certificates.
NOTE: Find the list of available Issuers in the Cert Manager official documentation.
To configure Cert Manager, create an Issuer object. The structure of this object differs depending on the Issuer type. For ACME, it is necessary to include the information for a single account registered in the ACME Certificate Authority server.
Once Cert Manager is configured to use ACME, it will verify that you are the owner of the domains for which certificates are being requested. Cert Manager uses two different challenges to verify that you are the owner of your domain: HTTP01 or DNS01. Learn more about ACME challenges.
NOTE: Learn more about the process to solve challenges in the official documentation.
To create a ACME issuer for use with Let’s Encrypt, declare an Issuer as shown below:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
# Replace the EMAIL-ADDRESS placeholder with the correct email account
email: EMAIL-ADDRESS
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
Next, use the ClusterIssuer to generate certificates for the applications in your Kubernetes cluster. Learn how to secure your Ingress resources.
After the Ingress resource is ready, Cert Manager verifies the domain using HTTP01/DNS01 challenges. During this verification process, the controller log can be used to check the status, as shown below:
$ kubectl get certificates
NAME READY SECRET AGE
letencrypt-ca False letencrypt-ca X
The status remains False whilst verification is in progress. This status will change to True when the HTTP01 verification is completed successfully.
$ kubectl get certificates
NAME READY SECRET AGE
letencrypt-ca True letencrypt-ca X
$ kubectl get secrets
NAME TYPE DATA AGE
letencrypt-ca kubernetes.io/tls 3 Xm