diff --git a/deployment/digital-ocean/https/README.md b/deployment/digital-ocean/https/README.md index 4202011d9..5729a763f 100644 --- a/deployment/digital-ocean/https/README.md +++ b/deployment/digital-ocean/https/README.md @@ -3,9 +3,11 @@ {% tabs %} {% tab title="Helm 3" %} +## Via Helm 3 + Follow [this quick start guide](https://cert-manager.io/docs/) and install certmanager via Helm 3: -## … Via Kubernetes Directly +## Or Via Kubernetes Directly ```bash $ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml @@ -96,7 +98,26 @@ Now let's get a valid HTTPS certificate. According to the tutorial above, check ```bash $ kubectl -n ocelot-social describe certificate tls +< +... +Spec: + ... + Issuer Ref: + Group: cert-manager.io + Kind: ClusterIssuer + Name: letsencrypt-staging +... +Events: + +> $ kubectl -n ocelot-social describe secret tls +< +... +Annotations: ... + cert-manager.io/issuer-kind: ClusterIssuer + cert-manager.io/issuer-name: letsencrypt-staging +... +> ``` If everything looks good, update the cluster-issuer of your ingress. Change the annotation `cert-manager.io/cluster-issuer` from `letsencrypt-staging` (for testing by getting a dummy certificate – no blocking by letsencrypt, because of to many request cycles) to `letsencrypt-prod` (for production with a real certificate – possible blocking by letsencrypt for several days, because of to many request cycles) in your ingress configuration in `ingress.yaml`. @@ -106,10 +127,38 @@ If everything looks good, update the cluster-issuer of your ingress. Change the $ kubectl apply -f ingress.yaml ``` -Delete the former secret to force a refresh: +Take a minute and have a look if the certificate is now newly generated by `letsencrypt-prod`, the cluster-issuer for production: + +```bash +$ kubectl -n ocelot-social describe certificate tls +< +... +Spec: + ... + Issuer Ref: + Group: cert-manager.io + Kind: ClusterIssuer + Name: letsencrypt-prod +... +Events: + +> +$ kubectl -n ocelot-social describe secret tls +< +... +Annotations: ... + cert-manager.io/issuer-kind: ClusterIssuer + cert-manager.io/issuer-name: letsencrypt-prod +... +> +``` + +In case the certificate is not newly created delete the former secret to force a refresh: ```bash $ kubectl -n ocelot-social delete secret tls ``` -Now, HTTPS should be configured on your domain. Congrats. +Now, HTTPS should be configured on your domain. Congrats! + +For troubleshooting have a look at the cert-manager's [Troubleshooting](https://cert-manager.io/docs/faq/troubleshooting/) or [Troubleshooting Issuing ACME Certificates](https://cert-manager.io/docs/faq/acme/).