Azure - Solving HTTPS Configuration Issues in AKS with Cert-Manager
Introduction
Setting up a TLS cert to make your website secure(HTTPS) on Azure AKS can be challenging. This post details resolving issues related to cert-manager and ACME challenge validation i faced for this website. Yes, this website is deployed on AKS with a TLS using cert-manager.
Issue Faced
The cert-manager failed to validate the ACME HTTP-01 challenge, leading to 404 Not Found
errors, primarily due to incorrect Ingress routing for ACME challenge requests.
Resolution Steps
-
Identify the Issue:
- Noticed
404
errors in cert-manager logs during the ACME challenge. - Command:
kubectl logs [CERT_MANAGER_POD] -n [NAMESPACE]
- Noticed
-
Check Solver Service:
- Confirmed the cert-manager solver service was operational.
- Commands:
- List services:
kubectl get svc -n [NAMESPACE]
- Identify solver service: Look for a service with a name like
cm-acme-http-solver-xxxx
. - Get details:
kubectl describe svc [SOLVER_SERVICE_NAME] -n [NAMESPACE]
- List services:
-
Inspect Ingress Configuration:
- Discovered Ingress was routing ACME challenge paths to the application service, not the solver.
- Command:
kubectl describe ingress [INGRESS_NAME] -n [NAMESPACE]
-
Update Ingress Resource:
-
Modified Ingress to route
/.well-known/acme-challenge
to the cert-manager solver service. -
Command:
kubectl edit ingress [INGRESS_NAME] -n [NAMESPACE]
-
Sample Updated Ingress
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: blog-ui-ingress namespace: savewise spec: tls: - hosts: - sharathenugala.com secretName: blog-ui-tls ingressClassName: webapprouting.kubernetes.azure.com rules: - host: sharathenugala.com http: paths: - path: /.well-known/acme-challenge pathType: Prefix backend: service: name: cm-acme-http-solver-9pwbm port: number: 8089 - path: / pathType: Prefix backend: service: name: blog-ui port: number: 3000
-
-
Successful Challenge Completion:
- Post-update, cert-manager successfully completed the ACME challenge and issued the TLS certificate.
- Verification:
kubectl describe certificate [CERT_NAME] -n [NAMESPACE]
Maintenance and Renewal
Cert-manager automates certificate renewal without manual Ingress updates for future challenges.
Conclusion
Proper Ingress setup is key for cert-manager's functionality in AKS, ensuring seamless HTTPS integration.
- Note: The solver service is temporary and will be deleted after the ACME challenge is completed.