Sharath Enugala

Azure - Solving HTTPS Configuration Issues in AKS with Cert-Manager

   

Introduction

Setting up a TLS cert to make your website secure(HTTPS) on Azure AKS can be challenging. This post details resolving issues related to cert-manager and ACME challenge validation i faced for this website. Yes, this website is deployed on AKS with a TLS using cert-manager.

   

Issue Faced

The cert-manager failed to validate the ACME HTTP-01 challenge, leading to 404 Not Found errors, primarily due to incorrect Ingress routing for ACME challenge requests.

   

Resolution Steps

  1. Identify the Issue:

    • Noticed 404 errors in cert-manager logs during the ACME challenge.
    • Command: kubectl logs [CERT_MANAGER_POD] -n [NAMESPACE]
  2. Check Solver Service:

    • Confirmed the cert-manager solver service was operational.
    • Commands:
      • List services: kubectl get svc -n [NAMESPACE]
      • Identify solver service: Look for a service with a name like cm-acme-http-solver-xxxx.
      • Get details: kubectl describe svc [SOLVER_SERVICE_NAME] -n [NAMESPACE]
  3. Inspect Ingress Configuration:

    • Discovered Ingress was routing ACME challenge paths to the application service, not the solver.
    • Command: kubectl describe ingress [INGRESS_NAME] -n [NAMESPACE]
  4. Update Ingress Resource:

    • Modified Ingress to route /.well-known/acme-challenge to the cert-manager solver service.

    • Command: kubectl edit ingress [INGRESS_NAME] -n [NAMESPACE]

    • Sample Updated Ingress

      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
      name: blog-ui-ingress
      namespace: savewise
      spec:
      tls:
      - hosts:
          - sharathenugala.com
          secretName: blog-ui-tls
      ingressClassName: webapprouting.kubernetes.azure.com
      rules:
      - host: sharathenugala.com
          http:
          paths:
          - path: /.well-known/acme-challenge
              pathType: Prefix
              backend:
              service:
                  name: cm-acme-http-solver-9pwbm
                  port:
                  number: 8089
          - path: /
              pathType: Prefix
              backend:
              service:
                  name: blog-ui
                  port:
                  number: 3000
      

         

  5. Successful Challenge Completion:

    • Post-update, cert-manager successfully completed the ACME challenge and issued the TLS certificate.
    • Verification: kubectl describe certificate [CERT_NAME] -n [NAMESPACE]

   

Maintenance and Renewal

Cert-manager automates certificate renewal without manual Ingress updates for future challenges.

   

Conclusion

Proper Ingress setup is key for cert-manager's functionality in AKS, ensuring seamless HTTPS integration.

   

  • Note: The solver service is temporary and will be deleted after the ACME challenge is completed.