> For the complete documentation index, see [llms.txt](https://docs.vngcloud.vn/vng-cloud-document/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.vngcloud.vn/vng-cloud-document/vks/network/working-with-alb/automatically-manage-certificates-in-vks-with-nginx-ingress-controller-cert-manager-and-lets-encr.md).
# Automatically manage Certificates in VKS with Nginx Ingress Controller, Cert-Manager, and Let's Encr
## Necessary conditions
* You have initialized the Cluster on the VKS system according to the instructions here [and](https://docs.vngcloud.vn/vng-cloud-document/vn/vks/getting-started/expose-mot-service-thong-qua-vlb-layer4) the GreenNode LoadBalancer Controller has been installed on your cluster **.**
* Next, make sure you have a **domain** registered and in use.
* Finally, you need an **email** address to perform the Certificate management test.
* Next, you need to install nginx-ingress-controller with the command:
```bash
helm install nginx-ingress-controller oci://ghcr.io/nginxinc/charts/nginx-ingress --namespace kube-system
```
***
## **Install Cert-Manager**
**Cert-Manager** is responsible for automatically issuing and renewing certificates from **Let's Encrypt.**
* Use **Helm** to install Cert-Manager via command:
```bash
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.16.2 \
--set crds.enabled=true
```
***
## **Steps to follow**
### **Deploy sample app**
Let's deploy a sample app, for example:
```bash
kubectl create deployment echo-server --image=mccutchen/go-httpbin
kubectl expose deployment echo-server --name=clusterip --port=80 --target-port=8080 --type=ClusterIP
```
### **Issuer Configuration**
Issuer is the component that helps Cert-Manager communicate with Let's Encrypt to issue certificates.
Testing on STAGING environment
1. Create file `letsencrypt-issuer.yaml`:
```yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: ______________________ # Change to your email
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
ingressClassName: nginx
```
2. Create Issuer on VKS cluster via command:
```bash
kubectl apply -f letsencrypt-issuer.yaml
```
3. Check Issuer via command:
```bash
kubectl describe issuer letsencrypt-staging
```
4. The results returned are as follows:
```bash
Status:
Acme:
Uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/...
Conditions:
Last Transition Time: ...
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
```
5. Continue to deploy ingress, change your domain in the yaml file below:
```bash
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: go-httpbin
annotations:
cert-manager.io/issuer: "letsencrypt-staging"
acme.cert-manager.io/http01-edit-in-place: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- ______________________ # Change to your domain
secretName: quickstart-example-tls
rules:
- host: ______________________ # Change to your domain
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: clusterip
port:
number: 80
```
6. Check certificate via command:
```bash
kubectl get certificate
NAME READY SECRET AGE
quickstart-example-tls True quickstart-example-tls 16m # Ready should be True
```
7. Check certificate details:
```bash
kubectl describe certificate quickstart-example-tls
Name: quickstart-example-tls
Namespace: default
Labels:
Annotations:
API Version: cert-manager.io/v1
Kind: Certificate
Metadata:
Cluster Name:
Creation Timestamp: 2018-11-17T17:58:37Z
Generation: 0
Owner References:
API Version: networking.k8s.io/v1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: kuard
UID: a3e9f935-ea87-11e8-82f8-42010a8a00b5
Resource Version: 9295
Self Link: /apis/cert-manager.io/v1/namespaces/default/certificates/quickstart-example-tls
UID: 68d43400-ea92-11e8-82f8-42010a8a00b5
Spec:
Dns Names:
www.example.com
Issuer Ref:
Kind: Issuer
Name: letsencrypt-staging
Secret Name: quickstart-example-tls
Status:
Acme:
Order:
URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/...
Conditions:
Last Transition Time: 2018-11-17T18:05:57Z
Message: Certificate issued successfully
Reason: CertIssued
Status: True
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CreateOrder 9m cert-manager Created new ACME order, attempting validation...
Normal DomainVerified 8m cert-manager Domain "www.example.com" verified with "http-01" validation
Normal IssueCert 8m cert-manager Issuing certificate...
Normal CertObtained 7m cert-manager Obtained certificate from ACME server
Normal CertIssued 7m cert-manager Certificate issued Successfully
```
8. Check connection to domain via command:
```bash
curl -kivL -H 'Host: ______DOMAIN______' 'http://_____IP_____'
```
9. You can also delete test resources via the command:
```bash
kubectl delete ingress go-httpbin
kubectl delete issuer letsencrypt-staging
kubectl delete secret quickstart-example-tls
kubectl delete secret letsencrypt-staging
```
Execute on PRODUCTION environment
1. Create file `letsencrypt-issuer.yaml`:
```yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: ______________________ # Change to your email
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
ingressClassName: nginx
```
2. Create Issuer on VKS cluster via command:
```bash
kubectl apply -f letsencrypt-issuer.yaml
```
3. Check Issuer via command:
```bash
kubectl describe issuer letsencrypt-prod
```
4. Continue to deploy ingress, change your domain in the yaml file below:
```bash
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: go-httpbin
annotations:
cert-manager.io/issuer: "letsencrypt-prod"
acme.cert-manager.io/http01-edit-in-place: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- ______________________ # Change to your domain
secretName: quickstart-example-tls
rules:
- host: ______________________ # Change to your domain
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: clusterip
port:
number: 80
```
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://docs.vngcloud.vn/vng-cloud-document/vks/network/working-with-alb/automatically-manage-certificates-in-vks-with-nginx-ingress-controller-cert-manager-and-lets-encr.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.