question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

TLS, ambassador, cert-manager, and HTTP challenge

See original GitHub issue

Hello all. I’m trying to setup a config with ambassador in Azure.
For now, ambassador is just used as an ingress controller, and that’s work fine.
Troubles arrive when I try to setup a TLS config using cert-manager.
I can’t used DNS acme-challenge since my TLS domain is the one created for my K8S by Azure (something like myrepo.westeurope.cloudapp.azure.com )

That’s why I’m stuck using HTTP challenge resolution.

The problem comes from how cert-manager is working.
One configured, to be able to challenge the domain, cert-manager will dynamically generate a deployment / service / ingress to be able to expose the famous .well-known/acme-challenge/OXiBFblablablalbla url.

Since we don’t have any ingress controller installed, the service is not reachable.

Of course I tried to implement my own service, to handle correctly the request, but it doesn’t work at all. (Well today, the urls and name are hardcoded, it’s another problem to solve, but for now, it’s just fine testing like that)

apiVersion: v1
kind: Service
metadata:
  name: nginx
  annotations:
    getambassador.io/config: |
      ---
      apiVersion: ambassador/v0
      kind:  Mapping
      name:  acme-challenge-mapping
      prefix: /.well-known/acme-challenge/OXiBF7fN601nISblablbalbla 
      service: nginx 
spec:
  ports:
  - port: 80
    targetPort: 8089
  selector:
    certmanager.k8s.io/acme-http-domain: "3932818779"
    certmanager.k8s.io/acme-http-token: "782372305"
 

The logs from the cert pod contains this relevant log:

logger.go:93] Calling HTTP01ChallengeResponse
prepare.go:279] Cleaning up old/expired challenges for Certificate default/ambassador-certs
logger.go:68] Calling GetChallenge
http.go:145] presented key () did not match expected (OXiBF7fN60blablablabla.vt8Zlzf-eC5Dj9dnanananana)

To Reproduce

Installing cert-manager using helm

helm install stable/cert-manager  --set ingressShim.defaultIssuerName=letsencrypt-staging --set ingressShim.defaultIssuerKind=ClusterIssuer

Installing the https ambassador (with RBAC) stuff

Installing a straightforward sample

apiVersion: apps/v1
kind: Deployment
metadata:
  name: azure-vote-back
spec:
  replicas: 1
  selector:
    matchLabels:
      app: azure-vote-back
  template:
    metadata:
      labels:
        app: azure-vote-back
    spec:
      containers:
      - name: azure-vote-back
        image: redis
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 250m
            memory: 256Mi
        ports:
        - containerPort: 6379
          name: redis
---
apiVersion: v1
kind: Service
metadata:
  name: azure-vote-back
spec:
  ports:
  - port: 6379
  selector:
    app: azure-vote-back
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: azure-vote-front
spec:
  replicas: 1
  selector:
    matchLabels:
      app: azure-vote-front
  template:
    metadata:
      labels:
        app: azure-vote-front
    spec:
      containers:
      - name: azure-vote-front
        image: microsoft/azure-vote-front:v1
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 250m
            memory: 256Mi
        ports:
        - containerPort: 80
        env:
        - name: REDIS
          value: "azure-vote-back"
---
apiVersion: v1
kind: Service
metadata:
  name: azure-vote-front
  annotations:
    getambassador.io/config: |
      ---
      apiVersion: ambassador/v0
      kind:  Mapping
      name:  azure-vote-front-mapping
      prefix: /
      service: azure-vote-front  
spec:
  ports:
  - port: 80
  selector:
    app: azure-vote-front

Versions (please complete the following information): Last versions of everything 😃

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:12 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
Mimetiscommented, Apr 6, 2019

Thx @richarddli for the updated documentation.

Just for your information, I have created a small repo with a readme doc, about installing cert-manager in an AKS cluster.

I know my English is not really as good as it should be, but you may found useful information on this topic: https://github.com/Mimetis/ambassadorandtls

1reaction
LiVecommented, Feb 8, 2019

hey,

i went through similar thing as you did a while back and came up with pretty much the same solutions. only difference, i’m only using a selector with certmanager.k8s.io/acme-http-domain: <val> which works fine for me. skipped the token.

the acme-http-domain value is a adler32 hash of the domain. so it wont change. there are topics in the cert-manager repo regarding this suggesting custom selector options and / or changing the adler32 hash to something helm can use (then it would be just a template function for us). but im not sure if anything changed since my adventure down that road 😃

Read more comments on GitHub >

github_iconTop Results From Across the Web

Using cert-manager | Edge Stack
Ambassador Edge Stack has simple and easy built-in support for automatically using ACME with the http-01 challenge to create and renew TLS certificates....
Read more >
ambassador-docs/cert-manager.md at master - GitHub
Cert-manager will automatically create and renew TLS certificates and store ... ACME challenges that verify domain ownership in different ways: HTTP-01 and ...
Read more >
How to Setup Ambassador Edge Stack's Automatic TLS with ...
Ambassador only supports HTTP-01 challenge but it's possible to perform DNS-01 challenge using Cert-Manager. Note: We use GoDaddy domain names ...
Read more >
Setting up Cert-Manager with Ambassador API Gateway
Test Case for: ACME HTTP01 Challenge, Lets Encrypt, and AWS. Ambassador API Gateway. ✓ 1. Install Ambassador either via the CLI or Manually....
Read more >
Securing Kubernetes Ingress with Ambassador and Let's ...
... Ambassador controller, cert-manager for managing and issuing TLS ... In short, the HTTP-01 challenge is the most common challenge type.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found