Letsencrypt certificates
The Ingress Pod can be configured to fetch a certificate bundle from an internal service. This internal service would be the Pod based on Let's Encrypt or a compatible one.
Run the Let's Encrypt Pod strictly as a single instance in the cluster, otherwise there will be a load balancing roulette when the Let's Encrypt service (LE) is connecting to the LE agent to verify our request.
Configure the Ingress Pods to be using the fetcher service by setting ingress_useFetcher
to true
in cluster-vars.env:
ingress_useFetcher=true
If the fetcher is not used, then Let's Encrypt certificates will not be fetched, which could be the desirable outcome if you are providing the certificates yourself (see more information about this case further on this section).
After enabling the fetcher, add all domains to be issued or renewed to the Let's Encrypt Pods configuration file _config/certs_list/certs.txt
.
Note: Renewals are automatically done and they occur 20 days prior to certificate expiration date.
Cheatsheet and troubleshooting
After adding domains to _config/certs_list/certs.txt, we need to update the Pod with the new configurations:
sns pod updateconfig letsencrypt
git add . && commit -m "Add domain to letsencrypt"
sns cluster sync
Updating the configuration will trigger the Let's Encrypt Pod to issue the newly add certificates.
Watch the logs to confirm the certifcate was issued successfully:
sns pod logs letsencrypt
The Ingress Pod fetcher service fetches the certificate bundle twice a day. However, since the domain is new we may want to manually fetch it to the Ingress pod, as such:
sns pod rerun ingress fetcher
sns pod logs ingress
Rerunning the fetcher container triggers it to download the new bundle.