BlogKubernetes

Kubernetes Ingress TLS with cert-manager and Let's Encrypt

Issue and auto-renew TLS certificates for Ingress with cert-manager, ACME, and a ClusterIssuer, and debug stuck orders before ACME rate-limits you.

Mar 25, 2025·9 min readIntermediate

cert-manager turns TLS into a Kubernetes resource. You declare a ClusterIssuer once, annotate your Ingress, and cert-manager talks ACME (Let's Encrypt), solves the challenge, stores the cert in a Secret, and renews it before expiry — forever, unattended.

How a cert appears
1
Ingress
tls + issuer annotation
2
cert-manager
requests via ACME
3
ACME
HTTP-01 challenge
4
Secret
cert stored + auto-renewed

Define a ClusterIssuer

issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata: { name: letsencrypt }
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef: { name: letsencrypt-account }
solvers:
- http01: { ingress: { class: nginx } }

Annotate the Ingress

ingress.yaml
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt
spec:
tls:
- hosts: [app.acme.dev]
secretName: app-tls # cert-manager fills this in
rules:
- host: app.acme.dev
bash — watch it go Readylive
kubectl get certificate
NAME READY SECRET AGE
app-tls True app-tls 47s
HTTP-01 needs to be reachable
The ACME HTTP-01 solver must be hit from the internet on port 80. Behind a private LB, use the DNS-01 solver instead.
Go deeper in a courseKubernetes administrationIngress, TLS, and exposing services safely.View course

Related posts