Istio version 1.4.3
Our Let’s Encrypt certificate expired as of yesterday in one of our clusters.
The renewed certificate also has additional sub-domains added to it.
Now I’m trying to understand the right process to get the renewed certificates updated in my cluster.
I followed this page -
and essentially did this -
kubectl delete istio-ingressgateway-certs -n istio-system
kubectl -n istio-system create secret tls istio-ingressgateway-certs --key privkey.pem --cert fullchain.pem
but then there is no effect. Check root still shows -
Fetching root cert from istio-system namespace...
Your Root Cert will expire after
Dec 17 17:35:12 2029 GMT
Current time is
Thu Mar 19 14:42:56 PDT 2020
=====YOU HAVE 3559 DAYS BEFORE THE ROOT CERT EXPIRES!=====
I later reviewed root-transition.sh & trying to fit it to the Let’s encrypt
I’ve the following files were generated by Let’s encrypt.
chain.pem
cert.pem
privkey.pem
README
fullchain.pem
kubectl -n istio-system delete secret istio-ca-secret
kubectl create -n istio-system secret generic istio-ca-secret --from-file=ca-key.pem=privkey.pem --from-file=ca-cert.pem=cert.pem --type=istio.io/ca-root
kubectl delete pod -l istio=citadel -n istio-system
kubectl exec pod/feed-api-f4bccc989-45st6 -c istio-proxy -n smc302-sales – curl http://localhost:15000/certs | head -c 1000
It still shows my old date as “valid_from” for “ca_cert”
"certificates": [
{
"ca_cert": [
{
"path": "/etc/certs/root-cert.pem",
"serial_number": "baef924fbee4dc9e13663d39621899d5",
"subject_alt_names": [],
"days_until_expiration": "3559",
"valid_from": "2019-12-20T17:35:12Z",
"expiration_time": "2029-12-17T17:35:12Z"
}
],
I’m wondering if this is an issue ? What am I missing ?