I'm using my own nginx ingress loadbalancer. What am i trying to do is create ssl files automatically using Let's encrypt. I think my nginx.conf file has error. But i cant quite find it.
I provided my configs and logs.
I created folder: /var/www/letsencrypt
nginx access.log:
"GET /.well-known/acme-challenge/Yop3zwchpFCM-h_cchYjiPwQ0LfINMwy4j0rNugMrmM HTTP/1.1" 404 162 "-" "cert-manager-challenges/v1.14.2 (linux/amd64) cert-manager/306e329365989f205185024a86de9b9d4bad10a5"
nginx error.log: (noting much here)
[notice] 3129#3129: signal process started
cert-manager pod log:
err="wrong status code '404', expected '200'"
i've created ClusterIssuer with following yaml:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: letsencrypt
solvers:
- http01:
ingress:
class: nginx
And here is my ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: longhorn-ingress
namespace: longhorn-system
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
cert-manager.io/cluster-issuer: letsencrypt
spec:
tls:
- hosts:
- longhorn.medsoft.care
secretName: longhorn.medsoft.care
rules:
- host: longhorn.medsoft.care
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: longhorn-frontend
port:
number: 80
# nginx.
http {
ssl_protocols TLSv1.2 TLSv1.3;
upstream kubernetes_https {
server 10.20.30.82:443; # master01
server 10.20.30.83:443; # master02
server 10.20.30.84:443; # worker01
server 10.20.30.85:443; # worker02
# Add more servers as necessary
# Health check configuration for Kubernetes API backend
# tulburtei nginx-d bdag module bololtoi
# health_check interval=5 fails=3 passes=2 uri=/healthz;
}
upstream kubernetes_http {
server 10.20.30.82:80; # master01
server 10.20.30.83:80; # master02
server 10.20.30.84:80; # worker01
server 10.20.30.85:80; # worker02
# Add more servers as necessary
# Health check configuration for Kubernetes node backend
# tulburtei nginx-d bdag module bololtoi
# health_check interval=5 fails=3 passes=2 uri=/healthz;
}
server {
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location ^~ /.well-known/acme-challenge/ {
allow all;
default_type "text/plain";
root /var/www/letsencrypt;
}
location / {
proxy_pass https://kubernetes_https;
proxy_ssl_verify off;
proxy_ssl_session_reuse on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Original-URI $request_uri;
try_files $uri $uri/index.html $uri.html =404;
}
}
server {
listen 80;
location / {
proxy_pass http://kubernetes_http;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Original-URI $request_uri;
}
}
}