
Last Changed: 5th of November 2020
### install cert-manager v0.15.0 - jetstack
server:/ # kubectl create namespace cert-manager
# Kubernetes 1.15+
server:/ # kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.crds.yaml
server:/ # helm repo add jetstack https://charts.jetstack.io
server:/ # helm repo update
server:/ # helm install cert-manager jetstack/cert-manager --version v0.15.0 -n cert-manager [--dry-run]
server:/ # kubectl get pods --namespace cert-manager
server:/ # kubectl -n cert-manager get service ${service_name}
NAME READY STATUS RESTARTS AGE
cert-manager-77f4c9d4b-894dq 1/1 Running 0 4d2h
cert-manager-cainjector-7cd4857fc7-z4b6c 1/1 Running 0 4d2h
cert-manager-webhook-586c9597db-5w8sf 1/1 Running 0 4d2h
server:/ #
Azure has already a prepared container Image provided by Bitnami
make sure you create you resources in the AKS namespace to make the configuration active
cert-manager.io/cluster-issuer: letsencrypt-prod
If you get errors with the format of the yaml files like below, then you have to replace the existing coding with a clean one from the original source, even it looks correct. See an example here.
server:/ # kubectl apply -f HTTP01-issuer.yaml -n $NAMESPACE
server:/ # kubectl apply -f Certificate.yaml -n $NAMESPACE
server:/ # kubectl get Certificate -n $NAMESPACE
NAME READY SECRET AGE
letsencrypt-staging False vsystem-tls-letsencrypt-staging 9m24s
vsystem-tls-certs-prod True vsystem-tls-certs-prod 16h
server:/ #
=> describe Certificate letsencrypt-staging
=> describe CertificateRequest letsencrypt-staging-<9-digits>
=> describe Order letsencrypt-staging-<9-digits>-<9-digits>
=> describe Challenge letsencrypt-staging-<9-digits>-<9-digits>-<9-digits>
=> describe Secret vsystem-tls-letsencrypt-staging
server:/ # kubectl describe certificate letsencrypt-staging -n $NAMESPACE
###
Status:
Conditions:
Last Transition Time: 2020-05-26T09:24:56Z
Message: Waiting for CertificateRequest "letsencrypt-staging-2680584605" to complete
Reason: InProgress
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Requested 10m cert-manager Created new CertificateRequest resource "letsencrypt-staging-2680584605"
server:/ # kubectl describe CertificateRequest letsencrypt-staging-2680584605 -n $NAMESPACE
###
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 12m cert-manager Created Order resource cert-manager/letsencrypt-staging-2680584605-3621476536
Normal OrderPending 12m cert-manager Waiting on certificate issuance from order cert-manager/letsencrypt-staging-2680584605-3621476536
server:/ # kubectl describe order letsencrypt-staging-2680584605-3621476536 -n $NAMESPACE
###
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 14m cert-manager Created Challenge resource "letsencrypt-staging-2680584605-3621476536-2139230782" for domain "<aks-cluster>.<region>.westeurope.cloudapp.azure.com"
Normal Created 14m cert-manager Created Challenge resource "letsencrypt-staging-2680584605-3621476536-3545865779" for domain "<aks-slcb>.<region>.cloudapp.azure.com"
server:/ # kubectl get challenges -n $NAMESPACE
NAME STATE
letsencrypt-staging-2680584605-3621476536-2139230782 valid
letsencrypt-staging-2680584605-3621476536-3545865779 pending
server:/ # kubectl describe challenge letsencrypt-staging-2680584605-3621476536-2139230782 -n $NAMESPACE
###
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 18m cert-manager Challenge scheduled for processing
Normal Presented 18m cert-manager Presented challenge using http-01 challenge mechanism
Normal DomainVerified 17m cert-manager Domain "<aks-cluster>.<region>.cloudapp.azure.com" verified with "http-01" validation
server:/ # kubectl get secret vsystem-tls-letsencrypt-staging -n $NAMESPACE -o yaml
server:/ # kubectl describe secret vsystem-tls-certs-staging -n $NAMESPACE
Name: vsystem-tls-certs-staging
Namespace: $NAMESPACE
###
Data
====
ca.crt: 0 bytes
tls.crt: 3610 bytes
tls.key: 1675 bytes
server:/ #
Please note that only plain types of pem/crt Certificates are accepted.
Sometimes the Certificates are only available as binary files. These type of files are not accepted by the Certificate Store of the SAP Datahub.
Note 2631190 - Download location of SSL certificates required for Support Hub Connectivity configura...
Note 2148457 - How to convert the keypair of a PKCS#12 / PFX container into a PSE file
openssl x509 -in DigiCertGlobalRootCA.crt -inform der -outform pem -out DigiCertGlobalRootCA.pem
openssl x509 -in DigiCertGlobalRootG2.crt -inform der -outform pem -out DigiCertGlobalRootG2.pem
openssl x509 -in DigiCertHighAssuranceEVRootCA.crt -inform der -outform pem -out DigiCertHighAssuranceEVRootCA.pem
openssl x509 -inform DER -in DigiCertGlobalRootG2.crt -out DigiCertGlobalRootG2.cer
openssl x509 -inform DER -in DigiCertHighAssuranceEVRootCA.crt -out DigiCertHighAssuranceEVRootCA.cer
openssl x509 -inform DER -in SAPSSO_CA_G2.crt -out SAPSSO_CA_G2.cer
openssl x509 -inform DER -in SAPGlobalRootCA.crt -out SAPGlobalRootCA.cer
openssl x509 -inform DER -in SAPNetCA_G2.crt -out SAPNetCA_G2.cer
openssl x509 -inform DER -in SAPPassportG2.crt -out SAPPassportG2.cer
openssl x509 -inform PEM -in certificate.cer -out certificate.crt
SAP Cloud Connector Administration - Trust Store
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
20 | |
19 | |
9 | |
7 | |
5 | |
5 | |
5 | |
5 | |
5 | |
4 |