Ask a Question

Advanced Search

Solution ID : SO040121142532

Last Modified : 01/05/2021

Configure cert-manager and DigiCert ACME service with Kubernetes

Solution

Compatible with cert-manager v1.1 or later.

 

1. Create an ACME Directory URL from the CertCentral.

2. Copy and save the ACME Directory URL, HMAC key, and KID values in a secure location.

3. Create a namespace for cert-manager.

kubectl create namespace <namespace> 

 

4. Create a secret in cert-manager for the EAB-HMAC.

kubectl create secret generic <eab_secret_name> --from-literal secret=<eab_hmac> -n <namespace>

 

5. Create a YAML configuration file specifying the values for the parameters to add Issuer in cert-manager.

#test-cert-manager-acme.yaml

apiVersion: cert-manager.io/v1

kind: Issuer

metadata:

  name: <issuer_name>

  namespace: <namespace>

spec:

  acme:

    email: <email_address>

    server: https://acme.digicert.com/v2/acme/directory/

    externalAccountBinding:

      keyID: <eab_kid>

      keySecretRef:

        name: <eab_secret_name>

        key: secret

      keyAlgorithm: HS256

    privateKeySecretRef:

        name: <account_private_key_name>

    solvers:

    - http01:

        ingress:

          class: nginx

---

apiVersion: cert-manager.io/v1

kind: Certificate

metadata:

  name: <certificate_name>

  namespace: <namespace>

spec:

  dnsNames:

    - <certificate_common_name>

  secretName: <certificate_private_key_name>

  issuerRef:

    name: <issuer_name>

 

6. Run the kubectl apply command to request the certificate from the DigiCert ACME server.

kubectl apply -f test-cert-manager-acme.yaml

 

7. Run the kubectl describe command to verify the ACME account has been registered to the DigiCert ACME server.

kubectl describe issuer -n <namespace>

The output is similar to:

Name:         <issuer_name>

Namespace:    <namespace>

Labels:       <none>

Annotations:  <none>

API Version:  cert-manager.io/v1

Kind:         Issuer

Metadata:

  Creation Timestamp:  2020-12-17T12:16:47Z

  Generation:          1

  Managed Fields:

    API Version:  cert-manager.io/v1alpha2

    Fields Type:  FieldsV1

    fieldsV1:

      f:metadata:

        f:annotations:

          .:

          f:kubectl.kubernetes.io/last-applied-configuration:

      f:spec:

        .:

        f:acme:

          .:

          f:email:

          f:externalAccountBinding:

            .:

            f:keyAlgorithm:

            f:keyID:

            f:keySecretRef:

              .:

              f:key:

              f:name:

          f:privateKeySecretRef:

            .:

            f:name:

          f:server:

          f:skipTLSVerify:

          f:solvers:

    Manager:      kubectl-client-side-apply

    Operation:    Update

    Time:         2020-12-17T12:16:47Z

    API Version:  cert-manager.io/v1

    Fields Type:  FieldsV1

    fieldsV1:

      f:status:

        f:acme:

          .:

          f:lastRegisteredEmail:

          f:uri:

        f:conditions:

    Manager:         controller

    Operation:       Update

    Time:            2020-12-17T12:16:49Z

  Resource Version:  421519

  Self Link:         /apis/cert-manager.io/v1/namespaces/acme-cert-manager-test/issuers/test-acme

  UID:               0a6f67ac-30d9-4e97-876f-4773b2b0a21e

Spec:

  Acme:

    Email:  <email>

    External Account Binding:

      Key Algorithm:  HS256

      Key ID:         <eab_kid>

      Key Secret Ref:

        Key:          secret

        Name:         <eab_secret_name>

    Preferred Chain:

    Private Key Secret Ref:

      Name:           <account_private_key_name>

    Server:           https://acme.digicert.com/v2/acme/directory/

    Skip TLS Verify:  true

    Solvers:

      http01:

        Ingress:

          Class:  nginx

Status:

  Acme:

    Last Registered Email:  <email>

    Uri: <unique_account_url>                  

  Conditions:

    Last Transition Time:  2020-12-17T12:16:49Z

    Message:               The ACME account was registered with the ACME server

    Reason:                ACMEAccountRegistered

    Status:                True

    Type:                  Ready

Events:  


8.  Once the ACME account is registered, run the following commands:

  • To check the certificate request status:

kubectl describe certificaterequest -n <namespace>


The output is similar to:

#certificaterequest output

  Conditions:

    Last Transition Time:  2020-12-17T17:29:27Z

    Message:               Certificate fetched from issuer successfully

    Reason:                Issued

    Status:                True

    Type:                  Ready

Events:                    <none>

 

  • To check the certificate status:

kubectl describe certificate -n <namespace>


The output is similar to:

#certificate output

 Spec:

  Dns Names:

    <certificate_common_name>

  Issuer Ref:

    Name:       <issuer_name>

  Secret Name:  <certificate_secret_name>

Status:

  Conditions:

    Last Transition Time:  2020-12-17T17:29:27Z

    Message:               Certificate is up to date and has not expired

    Reason:                Ready

    Status:                True

    Type:                  Ready

  Not After:               2021-12-21T23:59:59Z

  Not Before:              2020-12-17T00:00:00Z

  Renewal Time:            2021-11-21T23:59:59Z

  Revision:                1

Events:                    



Note: If an ACME Directory URL is used for multiple issuances, replace the Kind attribute of an Issuer to ClusterIssuer and remove the metadata:namespace attributes.

However, we recommend you to keep the unique Issuer per namespace to have a mutually exclusive operation.