In this blog post, I will demonstrate you how to create free certs for your domain hosted on route53 using certbot and how to terminate TLS through the nginx Ingress controller.
If you are running your application on kubernetes behind a nginx ingress controller & want to terminate TLS validation at nginx ingress, you can freely create certificates that will be valid for 60 days using certbot. You can do this in three simple steps.
Please note that this example is for domain registered from amazon route53.
Pre-requisites
These are some pre-requisites you need to install,
- python 3.x
- certbot
- certbot-dns-route53
You can install certbot using python pip installer,
The procedure is same for Mac, Windows or Linux
pip install certbot pip install certbot-dns-route53
Now, let’s try to create new certificate,
Create certificate using certbot
certbot certonly -d foo.bar.com --dns-route53 --logs-dir letsencrypt/log/ --config-dir letsencrypt/config/ --work-dir letsencrypt/work/ -m shaikzillani@gmail.com --agree-tos --non-interactive --server https://acme-v02.api.letsencrypt.org/directory
Replace foo.bar.com with your domain and use your email in the above command
Install the certificate as secret on k8s
kubectl create secret tls foo.bar.com-tls --cert=./fullchain.pem --key=./privkey.pem -n test-namespace
This will create certs under letsencrypt directory, navigate to that directory where certs are created and execute this command above.
Update helm chart deployment with TLS secret
tls:
- secretName: foo.bar.com-tls
hosts:
- foo.bar.com
If you visit your website over https on your browser, the SSL connection should be established successfully.