ProductPricingCase StudiesSupportFree Trial

Let's Encrypt Certificates

Suggest Edits

Prerequisites

Before you can start this guide, you'll need the following:

  • A deployed Hydrolix cluster that uses a public load balancer.
  • A DNS entry that points to the public load balancer.
  • Public IP Access, to allow Let's Encrypt verification.

Create a Certificate Issuer Configuration

In this step, we'll create an Issuer leveraging Let's Encrypt production certificate authority. The Issuer contains the following information:

  • name - name of the issuer used to generate new certificate requests
  • ACME server - server used to generate the ACME challenge
  • email - email used for the certificate information
  • solvers - used to validate ownership of the domain

The following example generates a certificate using Let's Encrypt. It validates the domain ownership using HTTP and ingress traefik:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-production-http
  namespace: $YOURNAMESPACE - TO BE REPLACE
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: $YOUREMAILMANAGINGCERTIFICATE - TO BE REPLACE
    privateKeySecretRef:
      name: letsencrypt-production-http
    solvers:
    - selector: {}
      http01:
        ingress:
          class: traefik

Once you generate the issuer configuration, store it in issuer-prod-lets-enc.yaml. Deploy it in your cluster with the following command:

kubectl apply -f issuer-prod-lets-enc.yaml

Create a Certificate Request Configuration

Once you've deployed your certificate Issuer, you can create a new certificate request with your domain.
By default, Hydrolix loads the certificate from a secret named traefik-tls.
The following example shows the full syntax to define this secret in a file called cert-req.yaml:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: $YOURNAMESPACE - TODO REPLACE ME!
  namespace: $YOURNAMESPACE - TODO REPLACE ME!
spec:
  secretName: traefik-tls
  issuerRef:
    name: letsencrypt-production-http
  commonName: $YOURDOMAIN - TODO REPLACE ME!
  dnsNames:
  - $YOURDOMAIN - TODO REPLACE ME!

Use the following command to deploy the request in your cluster:

kubectl apply -f cert-req.yaml

Check the Certificate Request Status

Once applied, you can check the certificate status with the following command:

kubectl describe certificate $YOURNAMESPACE

If the certificate successfully validates, you can should see the following:

Normal  Issuing    12s   cert-manager-certificates-issuing          The certificate has been successfully issued

Enable TLS on traefik

Once the certificate is deployed, enable HTTPS by changing the hydrolix_url field in your cluster configuration from "http" to "https":

hydrolix_url: <https://$YOURHOSTNAME>

After changing the protocol, traefik should restart and use the newly deployed Let's Encrypt certificate.

Return to the Add a Custom Certificate guide to validate your results.

Updated 2 months ago