BlogKubernetes
Kubernetes Ingress TLS with cert-manager and Let's Encrypt
Issue and auto-renew TLS certificates for Ingress with cert-manager, ACME, and a ClusterIssuer, and debug stuck orders before ACME rate-limits you.
cert-manager turns TLS into a Kubernetes resource. You declare a ClusterIssuer once, annotate your Ingress, and cert-manager talks ACME (Let's Encrypt), solves the challenge, stores the cert in a Secret, and renews it before expiry — forever, unattended.
1
Ingress
tls + issuer annotation
2
cert-manager
requests via ACME
3
ACME
HTTP-01 challenge
4
Secret
cert stored + auto-renewed
Define a ClusterIssuer
issuer.yaml
apiVersion: cert-manager.io/v1kind: ClusterIssuermetadata: { name: letsencrypt }spec:acme:server: https://acme-v02.api.letsencrypt.org/directoryemail: [email protected]privateKeySecretRef: { name: letsencrypt-account }solvers:- http01: { ingress: { class: nginx } }
Annotate the Ingress
ingress.yaml
metadata:annotations:cert-manager.io/cluster-issuer: letsencryptspec:tls:- hosts: [app.acme.dev]secretName: app-tls # cert-manager fills this inrules:- host: app.acme.dev
kubectl get certificateNAME READY SECRET AGEapp-tls True app-tls 47sHTTP-01 needs to be reachable
The ACME HTTP-01 solver must be hit from the internet on port 80. Behind a private LB, use the DNS-01 solver instead.