cert manager

Table of Contents Authentication Installing cert-manager Creating ACME Issuer Creating ACME Certificate Deleting ACME Certificate Deleting ACME Issuer Troubleshooting See Also

Authentication

To authenticate as system:admin:

$ oc login -u system:admin

To authenticate as kubeadmin:

$ oc login -u kubeadmin -p <password> https://api.crc.testing:6443

Installing cert-manager

To install cert-manager:

$ oc create namespace cert-manager
$ oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.0/cert-manager.yaml

To verify the installation:

$ oc get pods -n cert-manager
NAME                                       READY     STATUS    RESTARTS   AGE
cert-manager-57cdd66b-ws6nc                1/1       Running   0          30s
cert-manager-cainjector-79f4496665-k7cbz   1/1       Running   0          30s
cert-manager-webhook-6d57dbf4f-dvqml       1/1       Running   0          30s

Creating ACME Issuer

To create an issuer, prepare the following file (e.g. acme.yaml):

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: acme-issuer
spec:
  acme:
    email: admin@example.com
    server: https://acme.demo.dogtagpki.org/acme/directory
    privateKeySecretRef:
      name: acme-issuer-account-key
    solvers:
    - http01:
       ingress:
         class: nginx

Then execute the following command:

$ oc create -f acme-issuer.yaml

Verify with the following command:

$ oc describe clusterissuers acme-issuer
    ...
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    ...

To delete the issuer:

$ oc delete clusterissuers acme-issuer
$ oc delete secret acme-issuer-account-key -n cert-manager

Creating ACME Certificate

Prepare a Certificate configuration (e.g. acme-cert.yaml):

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: acme-cert
spec:
  secretName: acme-cert-tls
  dnsNames:
  - www.example.com
  issuerRef:
    name: acme-issuer
    kind: ClusterIssuer

Then execute the following command:

$ oc create -f acme-cert.yaml

To check the certificate status:

$ oc describe certificate acme-cert
    ...
    Message:               Waiting for CertificateRequest "acme-cert-<request>" to complete
    Reason:                InProgress
    ...

To check the certificate request status:

$ oc describe certificaterequest acme-cert-<request>

To check the order status:

$ oc describe order acme-cert-<order>
    ...
    Challenges:
      Token:     <token>
      Type:      dns-01
      URL:       http://acme.default.svc.cluster.local:8080/acme/chall/<challenge ID>
      Token:     <token>
      Type:      http-01
      URL:       http://acme.default.svc.cluster.local:8080/acme/chall/<challenge ID>
    ...

Deleting ACME Certificate

$ oc delete cert acme-cert

Deleting ACME Issuer

$ oc delete clusterissuer acme-issuer

Troubleshooting

$ oc logs -n cert-manager deploy/cert-manager -f

See Also

• OpenShift
• OpenShift 4 CodeReady Containers
• cert-manager
• Installing on OpenShift
• cert-manager ACME
• cert-manager HTTP Validation
• cert-manager DNS Validation
• Securing NGINX-ingress
• K3s
• How to Set Up an Nginx Ingress with Cert-Manager on DigitalOcean Kubernetes