Cert Manager Application SSL Certificate Process and Related Concepts - I
This article was last updated on: July 24, 2024 am
2022.3.9 Apply for a successful wildcard certificate with cert-manager (*.e-whisper.com
), 2022.4.30 The certificate is 30 days before it expires, and cert-manager auto-renews it, but it fails. 😱😱😱
Then a few days later, on May 8, 2022, it finally succeeded. As shown in the following figure:
This is the case to take a look at cert-manager’s SSL certificate application process and the related concepts involved in the process.
Chinese and English comparison table
English | English - K8S CRD | Chinese | Notes |
---|---|---|---|
certificates | Certificate |
Certificate | certificates.cert-manager.io/v1 |
certificate issuers | Issuer |
Certificate issuer | issuers.cert-manager.io |
ClusterIssuer |
Cluster Certificate Issuer | clusterissuers.cert-manager.io |
|
certificate request | CertificateRequest |
Certificate Request | certificaterequests.cert-manager.io |
order | Order |
(Certificate) Order | orders.acme.cert-manager.io |
challenge | Challenge |
(Certificate) Challenge | challenges.acme.cert-manager.io |
SelfSigned | Self-signed | A type of cert-manager Issuer | |
CA | Certificate Authority | Short for Certificate Authority; A type of cert-manager Issuer |
|
Vault | Vault | A type of cert-manager Issuer, the Hashicorp Vault | |
Venafi | Venafi Online certificate processing services, currently not used much | ||
External | External | A type of cert-manager Issuer | |
ACME | Automated Certificate Management Environment | Abbreviation for Automated Certificate Management Environment; cert-manager Issuer, including HTTP01 and DNS01 |
Introduction to Cert Manager
cert-manager adds certificates and certificate issuers as resource types to the Kubernetes cluster and simplifies the process of obtaining, renewing, and using these certificates.
It can issue certificates from a variety of supported sources, including: Let’s Encrypt、HashiCorp Vault and Venafi and private PKI.
📝Notes:
Commonly used mainstream sources are:Let’s Encrypt
It will ensure that the certificate is valid and up-to-date, and attempt to renew the certificate within a configured period of time before expiration.
Issuer
After installing cert-manager, the first thing you need to configure is a certificate issuer, which you can then use to issue certificates.
cert-manager comes with some built-in certificate issuers, which are represented as incert-manager.io
group. In addition to the built-in types, you can install an external certificate issuer. Built-in and external certificate issuers are treated the same and the configuration is similar.
There are the following types of certificate issuers:
- SelfSigned
- CA (Certificate Authority)
- Hashicorp Vault
- Venafi (SaaS service)
- External
- ACME (Automated Certificate Management Environment)
- HTTP01
- DNS01
Without going into detail here, my current environment has examples of certificate issuers as follows:
SelfSigned
As follows:
1 |
|
ACME - HTTP01
As follows:
1 |
|
ACME - DNS01
As follows:
1 |
|
Let’s take a lookThe application process for the certificate.