search

kubernetes-sigs / aws-load-balancer-controller

A Kubernetes controller for Elastic Load Balancers
https://kubernetes-sigs.github.io/aws-load-balancer-controller/
Apache License 2.0
3.94k stars 1.47k forks source link

How to configure ALB to use LetsEncrypt certificate? #1143

Closed ipeychev closed 4 years ago

ipeychev commented 4 years ago

Hello,

I'm trying to configure ALB to use an LetsEncrypt certificate, issued by CertManager.

I have an Ingress configuration like:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ui-ingress
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
  namespace: default
spec:
  tls:
  - hosts:
    - myhost.com
    secretName: myhost-com-tls-production
  rules:
  - host: myhost.com
    http:
      paths:
      - path: /
        backend:
          serviceName: ui-service
          servicePort: 80

This works OOTB with Google Cloud Platform (without even specifying kubernetes.io/ingress.class), but it doesn't work with ALB - the request to myhost.com, simply times out. The certificate was successfully issued by Cert Manager. The logs say:

$ kubectl logs -n kube-system $(kubectl get po -n kube-system | egrep -o "alb-ingress[a-zA-Z0-9-]+")

I0126 09:52:32.800947       1 security_group.go:75] default/ui-ingress: granting inbound permissions to securityGroup sg-024e274984cdd6e29: [{    FromPort: 80,    IpProtocol: "tcp",    IpRanges: [{        CidrIp: "0.0.0.0/0",        Description: "Allow ingress on port 80 from 0.0.0.0/0"      }],    ToPort: 80  }]

It seems using ALB with certificates, issued by LetsEncrypt is simply not supported, and we have to use AWS Certificate Manager. AWS Certificate Manager is limited - according to the documentation, it supports only DNS and some other monkey-menthod, called "Email Validation". HTTP-01 challenge and the rest are not supported.

Is it really impossible to use ALB with certificates, issued by LetsEncrypt?

s2504s commented 4 years ago

It is not possible. Because ALB does not have the ability to use not ACM certificates.

M00nF1sh commented 4 years ago

closing this in favor of https://github.com/kubernetes-sigs/aws-alb-ingress-controller/issues/1084 :D

jkassis commented 10 months ago

I just dropped this, which solved the problem for me... https://github.com/jkassis/cert-secret-syncer

johncf commented 9 months ago

Isn't this a solved problem?

timp87 commented 3 months ago

@johncf nope, the first link you provided is about using cert-manager to issue a cert for aws-load-balancer-controller webhook, not for ALB.

johncf commented 3 months ago

@johncf nope, the first link you provided is about using cert-manager to issue a cert for aws-load-balancer-controller webhook, not for ALB.

Ah I thought LBC is simply used to provision an ALB. Just to be clear, I actually don’t know if this is a solved problem.