Cert Manager Application SSL Certificate Process and Related Concepts - I

This article was last updated on: February 7, 2024 pm

2022.3.9 Apply for a successful wildcard certificate with cert-manager (*.e-whisper.com), 2022.4.30 The certificate is 30 days before it expires, and cert-manager auto-renews it, but it fails. 😱😱😱

Then a few days later, on May 8, 2022, it finally succeeded. As shown in the following figure:

续期成功的 e-whisper.com 通配符证书

This is the case to take a look at cert-manager’s SSL certificate application process and the related concepts involved in the process.

Chinese and English comparison table

English	English - K8S CRD	Chinese	Notes
certificates	`Certificate`	Certificate	`certificates.cert-manager.io/v1`
certificate issuers	`Issuer`	Certificate issuer	`issuers.cert-manager.io`
	`ClusterIssuer`	Cluster Certificate Issuer	`clusterissuers.cert-manager.io`
certificate request	`CertificateRequest`	Certificate Request	`certificaterequests.cert-manager.io`
order	`Order`	(Certificate) Order	`orders.acme.cert-manager.io`
challenge	`Challenge`	(Certificate) Challenge	`challenges.acme.cert-manager.io`
SelfSigned		Self-signed	A type of cert-manager Issuer
CA		Certificate Authority	Short for Certificate Authority; A type of cert-manager Issuer
Vault		Vault	A type of cert-manager Issuer, the Hashicorp Vault
Venafi			Venafi Online certificate processing services, currently not used much
External		External	A type of cert-manager Issuer
ACME		Automated Certificate Management Environment	Abbreviation for Automated Certificate Management Environment; cert-manager Issuer, including HTTP01 and DNS01

Introduction to Cert Manager

cert-manager adds certificates and certificate issuers as resource types to the Kubernetes cluster and simplifies the process of obtaining, renewing, and using these certificates.

It can issue certificates from a variety of supported sources, including: Let’s Encrypt、HashiCorp Vault and Venafi and private PKI.

📝Notes:

Commonly used mainstream sources are:Let’s Encrypt

It will ensure that the certificate is valid and up-to-date, and attempt to renew the certificate within a configured period of time before expiration.

解释 cert-manager 架构的高层次概览图

Issuer

After installing cert-manager, the first thing you need to configure is a certificate issuer, which you can then use to issue certificates.

cert-manager comes with some built-in certificate issuers, which are represented as incert-manager.iogroup. In addition to the built-in types, you can install an external certificate issuer. Built-in and external certificate issuers are treated the same and the configuration is similar.

There are the following types of certificate issuers:

SelfSigned
CA (Certificate Authority)
Hashicorp Vault
Venafi (SaaS service)
External
ACME (Automated Certificate Management Environment)
- HTTP01
- DNS01

Without going into detail here, my current environment has examples of certificate issuers as follows:

SelfSigned

As follows:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  annotations:
    meta.helm.sh/release-name: cert-manager-webhook-dnspod
    meta.helm.sh/release-namespace: cert-manager
  labels:
    app: cert-manager-webhook-dnspod
    app.kubernetes.io/managed-by: Helm
    chart: cert-manager-webhook-dnspod-1.2.0
    heritage: Helm
    release: cert-manager-webhook-dnspod
  name: cert-manager-webhook-dnspod-selfsign
  namespace: cert-manager
status:
  conditions:
    - lastTransitionTime: '2022-03-01T13:38:53Z'
      observedGeneration: 1
      reason: IsReady
      status: 'True'
      type: Ready
spec:
  selfSigned: {}

ACME - HTTP01

As follows:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  annotations:
    meta.helm.sh/release-name: rancher
    meta.helm.sh/release-namespace: cattle-system
  generation: 2
  labels:
    app: rancher
    app.kubernetes.io/managed-by: Helm
    chart: rancher-2.6.4
    heritage: Helm
    release: rancher
  name: rancher
  namespace: cattle-system
status:
  acme: {}
  conditions:
    - lastTransitionTime: '2022-03-08T14:34:08Z'
      message: The ACME account was registered with the ACME server
      observedGeneration: 2
      reason: ACMEAccountRegistered
      status: 'True'
      type: Ready
spec:
  acme:
    preferredChain: ''
    privateKeySecretRef:
      name: letsencrypt-production
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
      - http01:
          ingress: {}

ACME - DNS01

As follows:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  annotations:
    meta.helm.sh/release-name: cert-manager-webhook-dnspod
    meta.helm.sh/release-namespace: cert-manager
  labels:
    app: cert-manager-webhook-dnspod
    app.kubernetes.io/managed-by: Helm
    chart: cert-manager-webhook-dnspod-1.2.0
    heritage: Helm
    release: cert-manager-webhook-dnspod
status:
  acme:
    lastRegisteredEmail: [email protected]
    uri: https://acme-v02.api.letsencrypt.org/acme/acct/431637010
  conditions:
    - lastTransitionTime: '2022-03-01T13:38:55Z'
      message: The ACME account was registered with the ACME server
      observedGeneration: 1
      reason: ACMEAccountRegistered
      status: 'True'
      type: Ready
spec:
  acme:
    email: [email protected]
    preferredChain: ''
    privateKeySecretRef:
      name: cert-manager-webhook-dnspod-letsencrypt
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
      - dns01:
          webhook:
            config:
              secretId: <my-secret-id>
              secretKeyRef:
                key: secret-key
                name: cert-manager-webhook-dnspod-secret
              ttl: 600
            groupName: acme.imroc.cc
            solverName: dnspod