Cert-manager

Informations

Cert-manager is an application deployed in Kubernetes.

• Secretname must be unique

• You should not put the certificate by yourself. If you want to do it you should delete cert-manager annotation.

        apiVersion: networking.k8s.io/v1
        kind: Ingress
        metadata:
          annotations:
            cert-manager.io/cluster-issuer: letsencrypt-prod    < =========== DELETE THIS
            kubernetes.io/ingress.class: nginx
            nginx.ingress.kubernetes.io/enable-modsecurity: "true"

• Cert-manager will put the certificate in the secret which will be used by nginx ingress.

Limitation

Common Name specified in certificate is limited to 64 characters. The Common Name is the FQDN host set into the ingress definition (spec.hosts and spec.rules.host). See example below.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: hello-world-ingress
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-staging
    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
    nginx.ingress.kubernetes.io/modsecurity-snippet: |
      SecRuleEngine On
      SecAuditLog /dev/stdout
      Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - hello-world-ingress.demo.kaas.thalesdigital.io
    secretName: tls-secret
  rules:
  - host: hello-world-ingress.demo.kaas.thalesdigital.io
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: aks-helloworld-one
            port:
              number: 80

References

• https://docs.digicert.com/manage-certificates/public-certificates-data-entries-that/#64character-maximum-limit-violation

caution

Currenlty, the system doesn't prevent using host name exceeding 64 maximum chracters. Using hostname exceeding 64 char will cause that the certificate associated to the ingress will never become ready and no IP adress will be assigned to the ingress.

However there is a policy who check the ingress hostname length. If the hostname exceeds 64 charaters, the following message is printed as a warning

Warning: [check-ingress-host-max-length] Ingress host [your-hostname] with length of (xx) is longer than the maximum length of 64 for certificate issuer. No certificate will be issued

Detailed error in resources

• Check Certificate Status

  kubectl get cert <your-cert>

  READY column will be set to False if their is an error during certificate generation process as shown below

  NAME                            READY   SECRET                          AGE
  <your-cert>                     False    <your-cert>-tls-secret         175m

• Check Error Message

  kubectl describe cert <your-cert>

  Error output: cert-manager The certificate request has failed to complete and will be retried: Failed to wait for order resource "..." to become ready: order is in "errored" state: Failed to create Order: 400 urn:ietf:params:acme:error:rejectedIdentifier: NewOrder request did not include a SAN short enough to fit in CN