Btw, I will guide you in setting up SSL for any site for $25 (around 1h meeting online), contact me at @tch1001 and save yourself alot of pain in the ass :)

Today, I will show you how to setup SSL on Kubernetes the manual way. I will be using Traefik as the Ingress Controller and Let’s Encrypt as the Certificate Authority. In the previous article, I talked about how to perform ACME using DNS. But today I had to perform a renewal of cert without access to the DNS (but having access to the web server). So I had to use the HTTP ACME challenge instead.

Refer to part 1 for server setup

Certbot SSL Setup

If you want to use “DNS only” and still have SSL, or you want “Proxied” with Full encryption mode, you need to create a certificate using Certbot. Certbot is a free, open-source tool for automatically using Let’s Encrypt certificates on manually-configured HTTPS servers.

Usually, people use certbot because it’s very automatic, but in this case I have chosen to manually obtain my certificates and upload it because I want to learn how it works, and have greater control over the process. I have found that when I try to do it automatically using Traefik, there is a lot of fiddling and restarting the services, possibly resulting in downtime. Through the manual method, you don’t need to touch the my-service Service, and just need to update the IngressRoutes.

First, you need to install certbot. After that you can run

sudo certbot certonly --manual --preferred-challenge http -d my3.domain.com
  • --manual is required if we want to use the HTTP acme challenge.
  • -d my3.domain.com indicates the domain (leaving it out will prompt you to input it manually).

You will see something like

Create a file containing just this data:

3H7J8MdG5anbZ0bIi3kNarqT1QxESoMdbCGMmemFHDd.ypmiVlOlYgU_sU-90HbZhcPvk6BiHkxyIxWjYRQllEQ

And make it available on your web server at this URL:

http://my3.domain.com/.well-known/acme-challenge/3H7J8MdG5anbZ0bIi3kNarqT1QxESoMdbCGMmemFHDd

Press Enter to Continue

So now you need to create a txt file that the ACME certbot can access via your domain to prove that you have control over the domain. This will differ according to the web server you have. But for me it was nodejs so I just put the file in static/.well-known/acme-challenge folder

And then built and pushed the new docker image

docker build -t tch1001/newimage:v2
docker push tch1001/newimage:v2
vim kubernetes/servers/webserver.yaml # edit the version
k apply -f kubernetes/servers/webserver.yaml

After that I return to the ACME certbot and press enter. If all goes well, you will see

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/my3.domain.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/my3.domain.com/privkey.pem
This certificate expires on 2023-06-04.
These files will be updated when the certificate renews.

Setting HTTP redirection to HTTPS

The rest of the blog is a duplicate of part 1