Cert-manager+LE+Istio

1

Hi all! Could you please help me. I want get LE cert but, but get error:

[2021-11-18T09:44:21.078Z] "GET /.well-known/acme-challenge/1eCNaRkoOKgFcnaIgj8858qRqBappPRikmguI3v_YlI HTTP/1.1" 404 - via_upstream - "-" 0 14 2 0 "10.20.0.1" "cert-manag
er/v1.5.4 (clean)" "15d7a2bc-be83-9103-8ee6-e2262583653d" "<DOMAIN>" "10.20.0.49:8200" outbound|8200||vault.vault.svc.cluster.local 10.20.0.200:41288 10.20.0.200
:8080 10.20.0.1:25271 - -

My manifests:

cat istio-gw-vs.yaml 
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: vault-dev-gw
  namespace: vault
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - "*"
    port:
      name: http-dev
      number: 80
      protocol: HTTP

---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: vault-dev-vs
  namespace: vault
spec:
  gateways:
  - vault-dev-gw
  hosts:
  - <DOMAIN>
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: vault
        port:
          number: 8200

cat cert.yaml 
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: vault-dev
  namespace: cert-manager
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: '<EMAIL>'
    privateKeySecretRef:
      name: vault-dev
    solvers:
    - selector: {}
      http01:
        ingress:
          class: istio
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: vault-dev-cert
  namespace: istio-system
spec:
  secretName: vault-dev-cert
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  issuerRef:
    name: vault-dev
    kind: ClusterIssuer
  commonName: <DOMAIN>
  dnsNames:
    - <DOMAIN>

kubectl get challenge -n istio-system -o wide
Waiting for HTTP-01 challenge propagation: wrong status code '404', expected '200'
2

I have a similar issue, it seems istio does not take into account the generated ingress with IngressClassName: istio
i “solved” it by creating an entry in the virtual service like such:

{{- $svcPort := .Values.service.port -}}
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: {{ include "web.fullname" . }}
spec:
  hosts:
  - <redacted>
  gateways:
  - moneta
  http:
    - match:
        - uri:
            prefix: /.well-known/acme-challenge/ 
      route:
        - destination:
            port:
              number: 8089
            host: cm-acme-http-solver-778x4.istio-system.svc.cluster.local
    - match:
        - uri:
            prefix: /
      route:
        - destination:
            port:
              number: {{ $svcPort }}
            host: {{ include "web.fullname" . }}

be aware the cm-acme-http-solver-778x4 is randomly generated

1 Like
3

Thanks a lot! Every 3 month repeat this action? Will changed cm-acme-http-solver-****

4

I dont think as long as you dont redeploy the certmanager stuff it will change I hope certmanager is smart enough to renew the certificate every x months.