Getting Let's Encrypt Certificates with TrueCharts certissuer

[TheColin21]

Hi,

I am currently using multiple TrueCharts apps on my TrueNAS-SCALE-22.12.3.3 installation.
A few weeks ago I set up certificates via TrueNAS's own certificate management which seemed to work fine. I noticed that this method is marked as deprecated only afterwards and thought it would work fine nonetheless.

I now noticed, that my certificate does not get extended and wanted to do it the right way now instead of troubleshooting something that is already deprecated.

I followed this guide: https://truecharts.org/charts/enterprise/clusterissuer/how-to

I installed cert-manager, traefik is installed too. I created a CloudFlare API Token and set up clusterissuer as described in the guide.
I then entered the name of the just created issuer as "Cert-Manager clusterIssuer" in the app config of one of my apps, it redeployed just fine aaand... it still uses the old certificate.

The application events included the following:
Error presenting challenge: error getting cloudflare secret: secret "<name>-clusterissuer-secret" not found

This event only appeared once. It does not appear again if I change an app setting and redeploy it.

Is there any guide on how to do this properly?
Any idea what I did wrong?

Best regards

 

[Bear Tan]

Hi,

I am currently using multiple TrueCharts apps on my TrueNAS-SCALE-22.12.3.3 installation.
A few weeks ago I set up certificates via TrueNAS's own certificate management which seemed to work fine. I noticed that this method is marked as deprecated only afterwards and thought it would work fine nonetheless.

I now noticed, that my certificate does not get extended and wanted to do it the right way now instead of troubleshooting something that is already deprecated.

I followed this guide: https://truecharts.org/charts/enterprise/clusterissuer/how-to

I installed cert-manager, traefik is installed too. I created a CloudFlare API Token and set up clusterissuer as described in the guide.
I then entered the name of the just created issuer as "Cert-Manager clusterIssuer" in the app config of one of my apps, it redeployed just fine aaand... it still uses the old certificate.

The application events included the following:
Error presenting challenge: error getting cloudflare secret: secret "<name>-clusterissuer-secret" not found

This event only appeared once. It does not appear again if I change an app setting and redeploy it.

Is there any guide on how to do this properly?
Any idea what I did wrong?

Best regards

Hi,
I got the same error. So I try to google it and I found this https://github.com/cert-manager/cert-manager/issues/650.

I export the Secret from the namespace "ix-<app name of clusterissuer>"

Code:

k3s kubectl get secret autocert-clusterissuer-secret -n ix-cert-manager -o yaml > autocert-clusterissuer-secret.yaml

Then remove the namespace inside the yaml and import into both namepace "kube-system" and "cert-manager"

Code:

#namespace cert-manager is created by the Cert-Mananger  in operators train.
k3s kubectl apply -f autocert-clusterissuer-secret.yaml -n cert-manager
k3s kubectl apply -f autocert-clusterissuer-secret.yaml -n kube-system

After that, it's all good.

 

[Bear Tan]

I'm not sure this an issue or not.
Maybe TrueCharts teams could consider to add the secret into the necessary namespace automatically when deploy the clusterissuer app.

 

[TheColin21]

Hi, thanks for your reply.
As nothing happened in this thread for a while I contacted TrueCharts support.

They told me I still had old cert-manager operators running, to uninstall cert-manager and clusterissuer and to execute

Code:

kubectl delete --grace-period 30 --v=4 -k https://github.com/truecharts/manifests/delete4

.

After that I should try again, which (only after a reboot) worked.

 

[danb35]

Just to correct that command, it's k3s kubectl delete --grace-period 30 --v=4 -k https://github.com/truecharts/manifests/delete4. And be aware that it might take a while to complete.

 

[Bear Tan]

Thanks for the information.

I believe the command line is refering to https://truecharts.org/news/cert-manager-operator/. And I was missing that.

My server upgraded from Angelfish 22.02.4 to Bluefin 22.12.3.3. The reason I upgrade is that I want to update my Apps.
But after upgrade, I hit a lots of problem.

Now I am still migrating the Apps and I am refering to:

CNPG Operator Migration Guide | TrueCharts

This guide will assist you in migrating to the new CNPG operator.

truecharts.org

App Migration Guide | TrueCharts

Goal

truecharts.org

Just an advise for someone who may need. Above links are really important when you upgrade TrueNAS Scale from Angelfish to new version of Bluefin for updating Apps.