/
Examples - Use ACME clients with Certificate Manager

Examples - Use ACME clients with Certificate Manager

This article describes how to use Certbot and Kubernetes cert-manager as ACME clients with Smart ID Certificate Manager (CM). 

Examples using Certbot

Values used in this example that you need to replace to different in your setup:

Parameter

Example value

Description

Parameter

Example value

Description

--server

https://host.example.com/pgwy/acme/directory

This URL points to the Protocol Gateway installation that should act as ACME server.

--email

ca-admin@example.com

Change to a valid email adress for your organisation

--eab-kid

keyID: "1"

The pre-registration keyid described in Example: ACME configuration in Protocol Gateway

--eab-hmac-key

lMA3WzMn5SPZZo1_I1_sa1DQESG4T2-2kV8WaFX7GCk 

The pre-registration hmac-key described in Example: ACME configuration in Protocol Gateway





This is an example of using the certbot client to issue a single certificate from Protocol Gateway and CM.

Example using certbot
certbot certonly \ --agree-tos \ --email ca-admin@example.com \ --domain example.com \ --server https://host.example.com/pgwy/acme/directory





This is an example of using the certbot client to issue a single certificate from Protocol Gateway and CM.

Example using certbot
certbot certonly \ --agree-tos \ --email ca-admin@example.com \ --domain example.com \ --server https://host.example.com/pgwy/acme/directory \ --eab-kid certbot-kid-1 \ --eab-hmac-key lMA3WzMn5SPZZo1_I1_sa1DQESG4T2-2kV8WaFX7GCk



Example using Kubernetes.io and Cert-manager.io 

This example is based on the documentation here: https://cert-manager.io/docs/configuration/acme/ 

The CM installation and the Kubernetes cluster need to have connectivity with each other and an Ingress handler should be installed on the Kubernetes cluster. This example will use traefik. That requirement is needed for the ACME HTTP01 solver, if no such network connection is possible but the CM install could reach the DNS server you can use the DNS01 solver instead, read https://cert-manager.io/docs/configuration/acme/dns01/ for more information.

The following prerequisites apply for this example:



Example: ACME configuration in Protocol Gateway

Values used in this example that you need to replace to different in your setup:

Parameter

Example value

Description

Parameter

Example value

Description

server

https://host.example.com/pgwy/acme/directory

This URL points to the Protocol Gateway installation that should act as ACME server.

email

ca-admin@example.com

Change to a valid email adress for your organisation

name

test-demo-cm.example.com

Example DNS name that a certificate shall be issued to.

keyID

keyID: "1"

The pre-registration keyid described in Example: ACME configuration in Protocol Gateway.

secret

lMA3WzMn5SPZZo1_I1_sa1DQESG4T2-2kV8WaFX7GCk 

The pre-registration hmac-key described in Example: ACME configuration in Protocol Gateway.





Before certificates can be created with cert-manager, there must be a connection between cert-manager and CM. To set up the connection, a ClusterIssuer must be created. In this example, a ClusterIssuer is set up with a pre-registration key and HTTP solver based on: https://cert-manager.io/docs/configuration/acme/. To setup the ClusterIssuer is a system admin task and we use the cert-manager namespace and use another namespace for the "user" certificates in later steps. 

To set up connection between cert-manager and Smart ID Certificate Manager:

  1. Change to the namespace of that cert-manager is installed in. 


    Change default namespace

    kubectl config set-context --current --namespace=cert-manager



  2. In Kubernetes all sensitive information should be stored in secrets, this example creates a secret with the pre-registration key. 


    Create secret with pre-registration key

    kubectl create secret generic demo-cm-id1 --from-literal secret=lMA3WzMn5SPZZo1_I1_sa1DQESG4T2-2kV8WaFX7GCk



  3. Create a file called clusterissuer.yaml with the following information.  Change the keyID "1" in line 11,14, and 16 to the your local keyID and the secret in line 14 to the secret created in the step aboe. The secret in line 16 need to be unique secret per ClusterIssuer. Change url to Protocol Gateway in lin 17, and ingress class in line 22. The skipTLSVerify: true on line 18 is required if your CM Protocol Gateway installation is not running with a certificate trusted by the cert-manager.io (ie public certificate)

    clusterissuer.yaml

    apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: demo-cm-id1 namespace: cert-manager spec: acme: email: ca-admin@example.com externalAccountBinding: keyAlgorithm: HS256 keyID: "1" keySecretRef: key: secret name: demo-cm-id1 privateKeySecretRef: name: demo-cm-id1-private-key server: https://host.example.com/pgwy/acme/directory skipTLSVerify: true solvers: - http01: ingress: class: traefik



  4. Create the ClusterIssuer by running the command: 

    Create ClusterIssuer

    kubectl create -f clusterissuer.yaml



  5. To show the details on the ClusterIssuer run this command:

    Example: Show information

    kubectl describe clusterissuer demo-cm-id1

    A sample output below, the important part is the status type in the end, showing that it's Ready, eq working. 

    Example output

    Name: demo-cm-id1 Namespace: Labels: <none> Annotations: <none> API Version: cert-manager.io/v1 Kind: ClusterIssuer Metadata: Creation Timestamp: 2020-09-08T09:02:26Z Generation: 1 Resource Version: 24444944 Self Link: /apis/cert-manager.io/v1/clusterissuers/demo-cm-id1 UID: 554262b6-7678-4960-9e2b-5acf7923eecc Spec: Acme: Email: ca-admin@example.com External Account Binding: Key Algorithm: HS256 Key ID: 1 Key Secret Ref: Key: secret Name: demo-cm-id1 Preferred Chain: Private Key Secret Ref: Name: demo-cm-private-key Server: https://host.example.com/pgwy/acme/directory Skip TLS Verify: true Solvers: http01: Ingress: Class: traefik Status: Acme: Last Registered Email: ca-admin@example.com Uri: https://host.example.com/pgwy/acme/directory/account/6RqONO6qnQXsLnyDjVcuTA Conditions: Last Transition Time: 2020-09-08T09:02:30Z Message: The ACME account was registered with the ACME server Reason: ACMEAccountRegistered Status: True Type: Ready Events: <none>





The next step is to issue a certificate which can be used inside Kubernetes. This example is based on: https://cert-manager.io/docs/usage/certificate/:

  1. Create a new namespace, as part of the Kubernetes cluster, and change so that namespace is default

    Example: Create new namespace

    kubectl create namespace demo kubectl config set-context --current --namespace=demo



  2. Create a file called certificate.yaml with the following information. Change to the your local dnsNames (line 7) and ClusterIssuer (line 11).

    Example: certificate.yaml

    apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: test-demo-cm spec: dnsNames: - test-demo-cm.demo.com issuerRef: group: cert-manager.io kind: ClusterIssuer name: demo-cm-id1 secretName: test-demo-cm



  3. Create the certificate object:

    Example: Create certificate

    kubectl create -f certificate.yaml

     

  4. When the certificate object is created, you can check the status by running the following command.
    The sample below is from 12 seconds after the certificate object is created, and the certificate is not yet valid (line 29-30). 

    Example: Check status of certificate (non-ready)

    kubectl describe certificate.cert-manager.io/test-demo-cm Name: test-demo-cm Namespace: demo Labels: <none> Annotations: <none> API Version: cert-manager.io/v1 Kind: Certificate Metadata: Creation Timestamp: 2020-09-09T07:43:11Z Generation: 1 Resource Version: 24662332 Self Link: /apis/cert-manager.io/v1/namespaces/mikan-cm/certificates/test-demo-cm UID: 4c48b373-9f58-4015-b046-18ee74dd4191 Spec: Dns Names: test-demo-cm.demo.com Issuer Ref: Group: cert-manager.io Kind: ClusterIssuer Name: demo-cm Secret Name: test-demo-cm Status: Conditions: Last Transition Time: 2020-09-09T07:43:11Z Message: Certificate expired on Wed, 09 Sep 2020 05:47:14 UTC Reason: Expired Status: False Type: Ready Last Transition Time: 2020-09-09T07:43:12Z Message: Renewing certificate as renewal was scheduled at 2020-09-09 05:43:54 +0000 UTC Reason: Renewing Status: True Type: Issuing Next Private Key Secret Name: test-demo-cm-p5t8b Not After: 2020-09-09T05:47:14Z Not Before: 2020-09-09T05:37:14Z Renewal Time: 2020-09-09T05:43:54Z Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Issuing 12s cert-manager Renewing certificate as renewal was scheduled at 2020-09-09 05:43:54 +0000 UTC Normal Reused 12s cert-manager Reusing private key stored in existing Secret resource "test-demo-cm" Normal Requested 12s cert-manager Created new CertificateRequest resource "test-demo-cm-4qxvv"



  5. You can now follow the ACME protocol flow by running the describe command on multiple cert-manager objects. See a sample flow below.
    For more information, see https://cert-manager.io/docs/concepts/acme-orders-challenges/

    Example: Cert-manager ACME flow

    $ kubectl describe certificaterequest test-demo-cm-4qxvv Name: test-demo-cm-4qxvv Namespace: demo Labels: <none> Annotations: cert-manager.io/certificate-name: test-demo-cm cert-manager.io/certificate-revision: 1 cert-manager.io/private-key-secret-name: test-demo-cm-p5t8b API Version: cert-manager.io/v1 Kind: CertificateRequest Metadata: Creation Timestamp: 2020-09-09T07:43:12Z Generate Name: test-demo-cm- Generation: 1 Owner References: API Version: cert-manager.io/v1 Block Owner Deletion: true Controller: true Kind: Certificate Name: test-demo-cm UID: 4c48b373-9f58-4015-b046-18ee74dd4191 Resource Version: 24662343 Self Link: /apis/cert-manager.io/v1/namespaces/demo/certificaterequests/test-demo-cm-4qxvv UID: db9eaaaa-36d9-481c-a9c3-4f0d0c339de4 Spec: Issuer Ref: Group: cert-manager.io Kind: ClusterIssuer Name: demo-cm Request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ3BqQ0NBWTRDQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwrQQp3eFJkdWZoZE1hUDlVZDNkQ3hhd0paczZwOTQvMGNGV1hyaG02a3FTcVZSdW51SGp2NGl0aG9BR29oTnpzM3h4ClNkUUV4OWgyaVRhSUoxWUhNbmNRZXE0VXJhNUhkOE1mTVk3ZFMxNUF4Yk5XMnh3c2oyUGR2Mmp2MEU0Ky9OL3IKMzgzaGlkOVFCOGF6Qi9WN09VeEtVajlONEhQVjFLMVFoYXQya2VyQVBrdHlaNy9HOGdCTC9FSlF4bUQvTnF3cwpQREZzRkJiczBrVjd1anNqN3YrQXVlODFpNi9vYWtnajhqMzN6ZlZsRmZIeWphZFZuWFlwY0NiSTBXZ2czRXZ2Cm1xWEovMFBlS3VQamN4bjh5VG00RUVURUk1RzBROWprcFo1NXk4TFVHU25NcndwVDJhYWQ0bVh6WDY4S1VWNVoKR1RpQkhZdmF5TTgyeEVOQWxrTUNBd0VBQWFCaE1GOEdDU3FHU0liM0RRRUpEakZTTUZBd05nWURWUjBSQkM4dwpMWUlyZEdWemRDMWtaVzF2TFdOdE1UTTNMbTFwYTJGdUxXTnRMbTF6WkdWMkxtRjZMbTU0YzJGekxtTnZiVEFMCkJnTlZIUThFQkFNQ0JhQXdDUVlEVlIwbEJBSXdBREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZHgybWdJTjQKUkM2V2VpVmpMSWluN2xZR2Y1QVM0SndGT2VhNHB3ZVNFMndQaWptNUNMMWdsYnpHbUhSVmE1cW12bmVodEFubApOUzZWNi9ReHVMdGxPTXptdFJENElYSFA0SWpDRVpFdm1WeVpydGZzL1BiQXFSaXo1bU9xOFIraDFMTWpSZmp2CjRoTUxjRC9xdWE5dm5JUHNtZjZ5blpHL1Q0RHcxZzd1UGcya2lrWDhZeE5zTEF2c3JSQ0xLcjZYRXNwOUY3eE4KZy9BSGk5ZG5pdVRoVG9OUXJUeHRldE96WnE2eTV1MU44VG5pMFhyL2hmRFNkSXlNMFpqNjJXUDFpNyt3ek0vRQpFazEzdy9yMEZZU21zYnBPSlVGekFFYUVKalFGRVc4OUR1Y29LVmlHMVB4K25iUWp1M1hYWGZMQ3g5M0xtOXFNCkZSQk1uclMzN0ZMeUZBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg== Status: Conditions: Last Transition Time: 2020-09-09T07:43:12Z Message: Waiting on certificate issuance from order demo/test-demo-cm-4qxvv-1625194031: "pending" Reason: Pending Status: False Type: Ready Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal OrderCreated 22s cert-manager Created Order resource demo/test-demo-cm-4qxvv-1625194031 $ kubectl describe order test-demo-cm-4qxvv-1625194031 Name: test-demo-cm-4qxvv-1625194031 Namespace: demo Labels: <none> Annotations: cert-manager.io/certificate-name: test-demo-cm cert-manager.io/certificate-revision: 1 cert-manager.io/private-key-secret-name: test-demo-cm-p5t8b API Version: acme.cert-manager.io/v1 Kind: Order Metadata: Creation Timestamp: 2020-09-09T07:43:12Z Generation: 1 Owner References: API Version: cert-manager.io/v1 Block Owner Deletion: true Controller: true Kind: CertificateRequest Name: test-demo-cm-4qxvv UID: db9eaaaa-36d9-481c-a9c3-4f0d0c339de4 Resource Version: 24662344 Self Link: /apis/acme.cert-manager.io/v1/namespaces/demo/orders/test-demo-cm-4qxvv-1625194031 UID: c569526a-37ff-4ccc-a18b-8f5dcba5f2ef Spec: Dns Names: test-demo-cm.demo.com Issuer Ref: Group: cert-manager.io Kind: ClusterIssuer Name: demo-cm Request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ3BqQ0NBWTRDQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwrQQp3eFJkdWZoZE1hUDlVZDNkQ3hhd0paczZwOTQvMGNGV1hyaG02a3FTcVZSdW51SGp2NGl0aG9BR29oTnpzM3h4ClNkUUV4OWgyaVRhSUoxWUhNbmNRZXE0VXJhNUhkOE1mTVk3ZFMxNUF4Yk5XMnh3c2oyUGR2Mmp2MEU0Ky9OL3IKMzgzaGlkOVFCOGF6Qi9WN09VeEtVajlONEhQVjFLMVFoYXQya2VyQVBrdHlaNy9HOGdCTC9FSlF4bUQvTnF3cwpQREZzRkJiczBrVjd1anNqN3YrQXVlODFpNi9vYWtnajhqMzN6ZlZsRmZIeWphZFZuWFlwY0NiSTBXZ2czRXZ2Cm1xWEovMFBlS3VQamN4bjh5VG00RUVURUk1RzBROWprcFo1NXk4TFVHU25NcndwVDJhYWQ0bVh6WDY4S1VWNVoKR1RpQkhZdmF5TTgyeEVOQWxrTUNBd0VBQWFCaE1GOEdDU3FHU0liM0RRRUpEakZTTUZBd05nWURWUjBSQkM4dwpMWUlyZEdWemRDMWtaVzF2TFdOdE1UTTNMbTFwYTJGdUxXTnRMbTF6WkdWMkxtRjZMbTU0YzJGekxtTnZiVEFMCkJnTlZIUThFQkFNQ0JhQXdDUVlEVlIwbEJBSXdBREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZHgybWdJTjQKUkM2V2VpVmpMSWluN2xZR2Y1QVM0SndGT2VhNHB3ZVNFMndQaWptNUNMMWdsYnpHbUhSVmE1cW12bmVodEFubApOUzZWNi9ReHVMdGxPTXptdFJENElYSFA0SWpDRVpFdm1WeVpydGZzL1BiQXFSaXo1bU9xOFIraDFMTWpSZmp2CjRoTUxjRC9xdWE5dm5JUHNtZjZ5blpHL1Q0RHcxZzd1UGcya2lrWDhZeE5zTEF2c3JSQ0xLcjZYRXNwOUY3eE4KZy9BSGk5ZG5pdVRoVG9OUXJUeHRldE96WnE2eTV1MU44VG5pMFhyL2hmRFNkSXlNMFpqNjJXUDFpNyt3ek0vRQpFazEzdy9yMEZZU21zYnBPSlVGekFFYUVKalFGRVc4OUR1Y29LVmlHMVB4K25iUWp1M1hYWGZMQ3g5M0xtOXFNCkZSQk1uclMzN0ZMeUZBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg== Status: Authorizations: Challenges: Token: AAbLo32puww081z5oKhzxg Type: dns-01 URL: https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/authz/4aaWKMpvYD90KI-s_C7JXQ/dns-01 Token: AAbLo32puww081z5oKhzxg Type: http-01 URL: https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/authz/4aaWKMpvYD90KI-s_C7JXQ/http-01 Identifier: test-demo-cm.demo.com Initial State: pending URL: https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/authz/4aaWKMpvYD90KI-s_C7JXQ Wildcard: false Finalize URL: https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/finalize State: pending URL: https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Created 53s cert-manager Created Challenge resource "test-demo-cm-4qxvv-1625194031-543829935" for domain "test-demo-cm.demo.com" $ kubectl describe order test-demo-cm-4qxvv-1625194031 Name: test-demo-cm-4qxvv-1625194031 Namespace: demo Labels: <none> Annotations: cert-manager.io/certificate-name: test-demo-cm cert-manager.io/certificate-revision: 1 cert-manager.io/private-key-secret-name: test-demo-cm-p5t8b API Version: acme.cert-manager.io/v1 Kind: Order Metadata: Creation Timestamp: 2020-09-09T07:43:12Z Generation: 1 Owner References: API Version: cert-manager.io/v1 Block Owner Deletion: true Controller: true Kind: CertificateRequest Name: test-demo-cm-4qxvv UID: db9eaaaa-36d9-481c-a9c3-4f0d0c339de4 Resource Version: 24662551 Self Link: /apis/acme.cert-manager.io/v1/namespaces/demo/orders/test-demo-cm-4qxvv-1625194031 UID: c569526a-37ff-4ccc-a18b-8f5dcba5f2ef Spec: Dns Names: test-demo-cm.demo.com Issuer Ref: Group: cert-manager.io Kind: ClusterIssuer Name: demo-cm Request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ3BqQ0NBWTRDQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwrQQp3eFJkdWZoZE1hUDlVZDNkQ3hhd0paczZwOTQvMGNGV1hyaG02a3FTcVZSdW51SGp2NGl0aG9BR29oTnpzM3h4ClNkUUV4OWgyaVRhSUoxWUhNbmNRZXE0VXJhNUhkOE1mTVk3ZFMxNUF4Yk5XMnh3c2oyUGR2Mmp2MEU0Ky9OL3IKMzgzaGlkOVFCOGF6Qi9WN09VeEtVajlONEhQVjFLMVFoYXQya2VyQVBrdHlaNy9HOGdCTC9FSlF4bUQvTnF3cwpQREZzRkJiczBrVjd1anNqN3YrQXVlODFpNi9vYWtnajhqMzN6ZlZsRmZIeWphZFZuWFlwY0NiSTBXZ2czRXZ2Cm1xWEovMFBlS3VQamN4bjh5VG00RUVURUk1RzBROWprcFo1NXk4TFVHU25NcndwVDJhYWQ0bVh6WDY4S1VWNVoKR1RpQkhZdmF5TTgyeEVOQWxrTUNBd0VBQWFCaE1GOEdDU3FHU0liM0RRRUpEakZTTUZBd05nWURWUjBSQkM4dwpMWUlyZEdWemRDMWtaVzF2TFdOdE1UTTNMbTFwYTJGdUxXTnRMbTF6WkdWMkxtRjZMbTU0YzJGekxtTnZiVEFMCkJnTlZIUThFQkFNQ0JhQXdDUVlEVlIwbEJBSXdBREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZHgybWdJTjQKUkM2V2VpVmpMSWluN2xZR2Y1QVM0SndGT2VhNHB3ZVNFMndQaWptNUNMMWdsYnpHbUhSVmE1cW12bmVodEFubApOUzZWNi9ReHVMdGxPTXptdFJENElYSFA0SWpDRVpFdm1WeVpydGZzL1BiQXFSaXo1bU9xOFIraDFMTWpSZmp2CjRoTUxjRC9xdWE5dm5JUHNtZjZ5blpHL1Q0RHcxZzd1UGcya2lrWDhZeE5zTEF2c3JSQ0xLcjZYRXNwOUY3eE4KZy9BSGk5ZG5pdVRoVG9OUXJUeHRldE96WnE2eTV1MU44VG5pMFhyL2hmRFNkSXlNMFpqNjJXUDFpNyt3ek0vRQpFazEzdy9yMEZZU21zYnBPSlVGekFFYUVKalFGRVc4OUR1Y29LVmlHMVB4K25iUWp1M1hYWGZMQ3g5M0xtOXFNCkZSQk1uclMzN0ZMeUZBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg== Status: Authorizations: Challenges: Token: AAbLo32puww081z5oKhzxg Type: dns-01 URL: https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/authz/4aaWKMpvYD90KI-s_C7JXQ/dns-01 Token: AAbLo32puww081z5oKhzxg Type: http-01 URL: https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/authz/4aaWKMpvYD90KI-s_C7JXQ/http-01 Identifier: test-demo-cm.demo.com Initial State: pending URL: https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/authz/4aaWKMpvYD90KI-s_C7JXQ Wildcard: false Certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURpRENDQW5DZ0F3SUJBZ0lRUUF4ZDNneXBGVWZQZElZU0RDeFhFREFOQmdrcWhraUc5dzBCQVFzRkFEQk8KTVFzd0NRWURWUVFHRXdKVFJ6RWRNQnNHQTFVRUNoTVVUbVY0ZFhNZ1ZHVnpkQ0JUWlhSMWNDQTRMakl4SURBZQpCZ05WQkFNVEYwNWxlSFZ6SUZSbGMzUWdVMlYwZFhBZ09DNHlJRU5CTUI0WERUSXdNRGt3T1RBM05EUXhObG9YCkRUSXdNRGt3T1RBM05UUXhObG93TmpFME1ESUdBMVVFQXhNcmRHVnpkQzFrWlcxdkxXTnRNVE0zTG0xcGEyRnUKTFdOdExtMXpaR1YyTG1GNkxtNTRjMkZ6TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQwpBUW9DZ2dFQkFMK0F3eFJkdWZoZE1hUDlVZDNkQ3hhd0paczZwOTQvMGNGV1hyaG02a3FTcVZSdW51SGp2NGl0CmhvQUdvaE56czN4eFNkUUV4OWgyaVRhSUoxWUhNbmNRZXE0VXJhNUhkOE1mTVk3ZFMxNUF4Yk5XMnh3c2oyUGQKdjJqdjBFNCsvTi9yMzgzaGlkOVFCOGF6Qi9WN09VeEtVajlONEhQVjFLMVFoYXQya2VyQVBrdHlaNy9HOGdCTAovRUpReG1EL05xd3NQREZzRkJiczBrVjd1anNqN3YrQXVlODFpNi9vYWtnajhqMzN6ZlZsRmZIeWphZFZuWFlwCmNDYkkwV2dnM0V2dm1xWEovMFBlS3VQamN4bjh5VG00RUVURUk1RzBROWprcFo1NXk4TFVHU25NcndwVDJhYWQKNG1Yelg2OEtVVjVaR1RpQkhZdmF5TTgyeEVOQWxrTUNBd0VBQWFONk1IZ3dDUVlEVlIwbEJBSXdBREFSQmdOVgpIUTRFQ2dRSVN6Z21uMzVuV244d05nWURWUjBSQkM4d0xZSXJkR1Z6ZEMxa1pXMXZMV050TVRNM0xtMXBhMkZ1CkxXTnRMbTF6WkdWMkxtRjZMbTU0YzJGekxtTnZiVEFUQmdOVkhTTUVEREFLZ0FoTUxnRkpBRzM0ZVRBTEJnTlYKSFE4RUJBTUNCYUF3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUF6Z1N4b0wwakJQSWR4OHhVUjVVUThRZlY1ZApSRVBGcWt1NlYrZzgyamdmb3UrNVFjbVFEWkljenA3WjM2ak1oTzJSYlliSUdGUll3c3RsNTRIa003TVE0d1ZnCmhjSDRrTDNQWGF0TG1OSzV4elY0TGtIb05TVys1Wk44T2JWNnVTSkhnd2lrWktrNXZyVzVVeW5aYkxXSWZDQ0YKTENLcm5wVUZzK09PR0kxNGFSYlpzZVdBb0M0WVhvMGlNcDZsYlA2bDNOR0dkUHQ2KytERnN3MjRZZmE1NDlzVgpZWXViZDJDTnNHTy94ckdkN1JKU3VZdTJ2UVJRdGw3TzBnL05hZHJjZEZjOVRyUkxWdVJiTGx0dGFFTm4zeSsxCkg1TEJCRGlMQkxJbUhpZmp4SmlCTnJJdVRUVTRkNW5ZcTlHM0RpeXY0Wnd4eHY0NmpQSjZoWUVyYnhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlEWERDQ0FrU2dBd0lCQWdJUVZiamlkckhLM3B0MjdpVVhoYmpiampBTkJna3Foa2lHOXcwQkFRc0ZBREJPCk1Rc3dDUVlEVlFRR0V3SlRSekVkTUJzR0ExVUVDaE1VVG1WNGRYTWdWR1Z6ZENCVFpYUjFjQ0E0TGpJeElEQWUKQmdOVkJBTVRGMDVsZUhWeklGUmxjM1FnVTJWMGRYQWdPQzR5SUVOQk1CNFhEVEl3TURReU56QTVORGN3TkZvWApEVE13TURReU56QTVORGN3TkZvd1RqRUxNQWtHQTFVRUJoTUNVMGN4SFRBYkJnTlZCQW9URkU1bGVIVnpJRlJsCmMzUWdVMlYwZFhBZ09DNHlNU0F3SGdZRFZRUURFeGRPWlhoMWN5QlVaWE4wSUZObGRIVndJRGd1TWlCRFFUQ0MKQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLQmhGMHdCTHpLMjJ1dlZGS3k2UzBJbQpUNEliQWk0NE9iOVVMZG9EanV5cExrUURMcjlON001U2pzVDZ2eTNmb1RYb21sMFY1Wis5OE9mbTJzVUE2d2dqCnFiQWptRUg3OVorSFpyWUdpQ1daZkxwSGJJQWdsaGdGQ3dTTUNma3pTMnRxOHRNeVYvZFNIK1I5aGJJdUFSSmEKcllybEhwNm9heldvRzkxN1RuL0oxUFBzdUoyZ0d1eEt5VWhWcEdEc3E2V1NvNTBYZUlXRHNxZ1NxRHI1SzFabwpZekIyYkp3MUttK2VibllURi9kYXBLa2ZtV3lEOHBqV1ZMbzU0YjJVMEpWa1BLRUtBcU1qTFZFcUdycldHYTFjCkttN0VqcnFlT1JKbm9UZjNaSG50S21zMXJCVUFXVkp6NnhwRW5oNDBteTJ3amw4a3czRW5pRW41WVBIV3gwRUMKQXdFQUFhTTJNRFF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFSQmdOVkhRNEVDZ1FJVEM0QlNRQnQrSGt3RGdZRApWUjBQQVFIL0JBUURBZ0VHTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDYjRBSTVMbFlLbyswTC81RU1DeTd5CjJKa0hKRzVDSUV4bWErakEwN3ZydjkySXYwQUFBejVQZTBUcnhHQzNTWFdsK1lJZmNJbGlEZExJNEZZaXRNWlUKemhiQ0Jwdys2MXpLenVHdmwycTZWMjd6SjNuZDRWenpKajhGN2NpUWprbU5XeG42bG1VSVVITkxYNGNUVmZSMApyNmdQa0pkeTJ2V2xFUVd2QlZxOEdveW82Mk1kdjBScXJSdlZxbkJxRWl2clVWcytqMkl1MEtHY2tPSmNPL0QxCjRPNHlvTUxCTTR5LzBkY0dlU2xGQk5EbmpUU3g3OTkwZHhqNEh6UGZtRTBvYXROQiszVVRER2lOSUsya0lCOHIKYjJid1NMektiYmFTaktkcGhWV2N1ZnBCanM3MGFXSk5Kd0x4MlZOVnRqWVVHMU9TRHBsTW5kbVNXNndaaThLMgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== Finalize URL: https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/finalize State: valid URL: https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Created 99s cert-manager Created Challenge resource "test-demo-cm-4qxvv-1625194031-543829935" for domain "test-demo-cm.demo.com" Normal Complete 35s cert-manager Order completed successfully



  6. After around a minute, the certificate should be ready. Most of the time is spent on Kubernetes' side, to setup the HTTP01 solver. In the sample output, look for the following information: 
    Status: True and Type: Ready (line 28-29) indicates that the certificate is ready.
    In Events, you can see that the certificate has been renewed after around 8 minutes.

    Example: Check status of certificate (ready)

    kubectl describe certificate.cert-manager.io/test-demo-cm Name: test-demo-cm Namespace: demo Labels: <none> Annotations: <none> API Version: cert-manager.io/v1 Kind: Certificate Metadata: Creation Timestamp: 2020-09-09T07:43:11Z Generation: 1 Resource Version: 24663796 Self Link: /apis/cert-manager.io/v1/namespaces/demo/certificates/test-demo-cm UID: 4c48b373-9f58-4015-b046-18ee74dd4191 Spec: Dns Names: test-demo-cm.demo.com Issuer Ref: Group: cert-manager.io Kind: ClusterIssuer Name: demo-cm Secret Name: test-demo-cm Status: Conditions: Last Transition Time: 2020-09-09T07:44:17Z Message: Certificate is up to date and has not expired Reason: Ready Status: True Type: Ready Not After: 2020-09-09T08:01:59Z Not Before: 2020-09-09T07:51:59Z Renewal Time: 2020-09-09T07:58:39Z Revision: 2 Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Issuing 9m36s cert-manager Renewing certificate as renewal was scheduled at 2020-09-09 05:43:54 +0000 UTC Normal Requested 9m36s cert-manager Created new CertificateRequest resource "test-demo-cm-4qxvv" Normal Reused 112s (x2 over 9m36s) cert-manager Reusing private key stored in existing Secret resource "test-demo-cm" Normal Issuing 112s cert-manager Renewing certificate as renewal was scheduled at 2020-09-09 07:50:56 +0000 UTC Normal Requested 112s cert-manager Created new CertificateRequest resource "test-demo-cm-k9zxc" Normal Issuing 48s (x2 over 8m31s) cert-manager The certificate has been successfully issued



  7. You can also check the secret that contains the actual certificate by using: 

    Check secret

    kubectl describe secret test-demo-cm Name: test-demo-cm Namespace: demo Labels: <none> Annotations: cert-manager.io/alt-names: test-demo-cm.demo.com cert-manager.io/certificate-name: test-demo-cm cert-manager.io/common-name: test-demo-cm.demo.com cert-manager.io/ip-sans: cert-manager.io/issuer-group: cert-manager.io cert-manager.io/issuer-kind: ClusterIssuer cert-manager.io/issuer-name: demo-cm cert-manager.io/uri-sans:Type: kubernetes.io/tlsData ==== tls.crt: 2509 bytes tls.key: 1675 bytes



CI/CD tool integration based on ACME clients

For continuous integration and continuous delivery tools (CI/CD tools) integration based on ACME clients, see the links for information:

Related information



Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions