cert-manager
16 commands
16 shown
Install cert-manager via Helm
Install cert-manager with CRDs into its own namespace
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true
Check cert-manager pods
Verify all cert-manager components are running
kubectl get pods -n cert-manager
List certificates
List all Certificate resources across namespaces
kubectl get certificates -A
Describe certificate
Show status and events for a Certificate resource
kubectl describe certificate my-cert -n default
List certificate requests
List all CertificateRequest objects
kubectl get certificaterequests -A
Create ClusterIssuer (Let's Encrypt)
Apply a ClusterIssuer manifest for Let's Encrypt ACME
kubectl apply -f clusterissuer-letsencrypt.yaml
Check ClusterIssuers
List all ClusterIssuer resources and their ready status
kubectl get clusterissuers
Manually trigger renewal
Force cert-manager to renew a certificate immediately
kubectl annotate certificate my-cert cert-manager.io/issueTime="$(date -u +%Y-%m-%dT%H:%M:%SZ)" --overwrite
View cert-manager logs
Stream logs from the main cert-manager controller
kubectl logs -n cert-manager deploy/cert-manager -f
cmctl check API
Verify cert-manager API is ready using the cmctl CLI
cmctl check api
Create ClusterIssuer (Let's Encrypt)
Create Let's Encrypt prod ClusterIssuer with HTTP-01 solver
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
EOF
Force certificate renewal
Trigger immediate reissue without waiting for the renewal window; watch a new CertificateRequest spawn
cmctl renew <name> -n <ns>
Certificate status playbook
End-to-end view: Certificate, Request, Order, Challenge and the exact ACME failure reason
cmctl status certificate <name> -n <ns>
Inspect issued secret contents
Decode the tls.crt and show issuer, SANs, validity without manual openssl x509 piping
cmctl inspect secret <name> -n <ns>
DNS01 Route53 ClusterIssuer
DNS01 issuer for wildcard certs; IRSA/secret must grant route53 change-record perms
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-dns
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-dns
solvers:
- dns01:
route53:
region: us-east-1
hostedZoneID: <id>
EOF
Stuck ACME challenges
List pending validations and read the propagation/self-check error blocking issuance
kubectl get challenges -A -o wide && kubectl describe challenge -n <ns> <name>
no commands match