Add Jetstack Helm repository
| Piattaforma | Comando |
|---|---|
| kubectl (Static Manifests) | kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.yaml |
| Helm (Recommended) | helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true |
| macOS (cmctl CLI) | brew install cmctl |
| Linux (cmctl CLI) | `curl -sSL https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cmctl-linux-amd64.tar.gz \ |
| Windows (cmctl CLI) | curl.exe -L -o cmctl.exe https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cmctl-windows-amd64.exe |
| Verify Installation | kubectl get pods -n cert-manager |
# Add Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io
# Update repository
helm repo update
# Install with custom values
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.13.3 \
--values custom-values.yaml| Comando | Descrizione |
|---|---|
kubectl get certificates | Elenca tutti i certificati nello spazio dei nomi corrente |
kubectl get certificates -A | Elenca i certificati in tutti i namespace |
kubectl describe certificate <name> | Mostra informazioni dettagliate del certificato |
kubectl get certificate <name> -o yaml | Visualizza certificato in formato YAML |
kubectl get issuer | Elenca tutti gli emittenti nello spazio dei nomi corrente |
kubectl get clusterissuer | Elenca tutti gli issuer a livello di cluster |
kubectl describe issuer <name> | Mostra informazioni dettagliate dell’emittente |
kubectl get certificaterequest | Elenca richieste di certificato |
kubectl get order | Visualizza ordini certificati ACME |
kubectl get challenge | Visualizza le sfide ACME per la convalida del dominio |
kubectl logs -n cert-manager deployment/cert-manager | Visualizza i log del controller cert-manager |
kubectl logs -n cert-manager deployment/cert-manager-webhook | Visualizza log webhook |
kubectl logs -n cert-manager deployment/cert-manager-cainjector | Visualizza i log dell’iniettore CA |
cmctl check api | Verificare che l’API di cert-manager sia disponibile |
cmctl version | Visualizza informazioni sulla versione di cert-manager |
cmctl status certificate <name> | Verifica dello stato e della disponibilità del certificato |
cmctl inspect secret <secret-name> | Ispeziona il segreto TLS creato da cert-manager |
cmctl renew <cert-name> | Attiva manualmente il rinnovo del certificato |
| `kubectl get crd \ | grep cert-manager` |
kubectl get events --field-selector involvedObject.name=<cert-name> | Visualizza gli eventi relativi a un certificato specifico |
| Comando | Descrizione |
|---|---|
cmctl approve <certificaterequest-name> | Approvare manualmente una richiesta di certificato |
cmctl deny <certificaterequest-name> | Rifiuta una richiesta di certificato |
cmctl create certificaterequest test --from-certificate-file=cert.yaml | Crea richiesta di certificato da file |
cmctl convert --output-format=pem --input-file=cert.yaml | Converti il certificato in formato PEM |
cmctl experimental create acmeaccount --server=<url> --email=<email> | Registrazione account ACME di test |
kubectl annotate certificate <name> cert-manager.io/issue-temporary-certificate="true" --overwrite | Forza rinnovo immediato del certificato |
kubectl delete certificaterequest <name> | Rimuovi richiesta di certificato non riuscita |
kubectl delete order <name> | Elimina ordine ACME |
kubectl delete challenge <name> | Rimuovi ACME challenge bloccato |
kubectl get certificate <name> -o jsonpath='{.status.conditions}' | Estrai le condizioni di stato del certificato |
| `kubectl get secret | base64 -d \ |
| `kubectl get secret | base64 -d \ |
helm upgrade cert-manager jetstack/cert-manager --namespace cert-manager --version v1.13.3 | Aggiorna cert-manager alla nuova versione |
kubectl rollout restart deployment -n cert-manager | Riavvia tutti i componenti di cert-manager |
kubectl scale deployment cert-manager -n cert-manager --replicas=2 | Scalare cert-manager per alta disponibilità |
kubectl get certificate --watch | Monitora lo stato dei certificati in tempo reale |
kubectl patch certificate <name> --type merge -p '{"spec":{"renewBefore":"720h"}}' | Modificare la finestra di rinnovo del certificato |
kubectl delete secret <tls-secret> | Elimina segreto certificato (attiva ricreazione) |
cmctl experimental install | Installa cert-manager utilizzando lo strumento cmctl |
cmctl experimental uninstall | Disinstalla cert-manager e pulisci le risorse |
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
```### ClusterIssuer Auto-Firmato
```yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: admin@example.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
```### Let's Encrypt Staging (Sfida HTTP-01)
```yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- dns01:
cloudDNS:
project: my-gcp-project
serviceAccountSecretRef:
name: clouddns-dns01-solver
key: key.json
```### Let's Encrypt Produzione (Sfida DNS-01)
```yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: ca-issuer
namespace: default
spec:
ca:
secretName: ca-key-pair
```### Issuer CA (PKI Interno)
```yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-com
namespace: default
spec:
secretName: example-com-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- example.com
- www.example.com
duration: 2160h # 90 days
renewBefore: 360h # 15 days before expiry
```### Risorsa Certificato
```yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-cert
namespace: default
spec:
secretName: wildcard-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- "*.example.com"
- example.com
```### Certificato Wildcard
```yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: vault-issuer
namespace: default
spec:
vault:
server: https://vault.example.com
path: pki/sign/example-dot-com
auth:
kubernetes:
mountPath: /v1/auth/kubernetes
role: cert-manager
secretRef:
name: vault-token
key: token
```### Issuer Vault
```yaml
# custom-values.yaml
installCRDs: true
replicaCount: 2
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
prometheus:
enabled: true
servicemonitor:
enabled: true
webhook:
replicaCount: 2
cainjector:
replicaCount: 2
```### Configurazione Valori Helm
```bash
# Create ClusterIssuer
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
EOF
# Create Ingress with TLS annotation
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
ingressClassName: nginx
tls:
- hosts:
- example.com
secretName: example-com-tls
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
EOF
# Verify certificate creation
kubectl get certificate
kubectl describe certificate example-com-tls
```### Caso d'Uso 1: Ingress Sicuro con Let's Encrypt
```bash
# Create self-signed CA
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-ca
namespace: cert-manager
spec:
isCA: true
commonName: my-ca
secretName: my-ca-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
EOF
# Create CA issuer from generated CA
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: my-ca-issuer
spec:
ca:
secretName: my-ca-secret
EOF
# Issue service certificates
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: service-a-cert
namespace: default
spec:
secretName: service-a-tls
duration: 8760h
renewBefore: 720h
subject:
organizations:
- my-org
commonName: service-a.default.svc.cluster.local
dnsNames:
- service-a.default.svc.cluster.local
issuerRef:
name: my-ca-issuer
kind: ClusterIssuer
EOF
```### Caso d'Uso 2: mTLS Servizio Interno
```bash
# Create DNS provider secret (example: Cloudflare)
kubectl create secret generic cloudflare-api-token \
--from-literal=api-token=YOUR_CLOUDFLARE_API_TOKEN
# Create ClusterIssuer with DNS-01 solver
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-dns
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com
privateKeySecretRef:
name: letsencrypt-dns
solvers:
- dns01:
cloudflare:
email: admin@example.com
apiTokenSecretRef:
name: cloudflare-api-token
key: api-token
EOF
# Request wildcard certificate
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-example
namespace: default
spec:
secretName: wildcard-example-tls
issuerRef:
name: letsencrypt-dns
kind: ClusterIssuer
dnsNames:
- "*.example.com"
- example.com
EOF
# Monitor certificate issuance
kubectl get certificate wildcard-example -w
```### Caso d'Uso 3: Certificato Wildcard con DNS-01
```bash
# Create certificate for webhook
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: webhook-cert
namespace: webhook-system
spec:
secretName: webhook-server-cert
duration: 8760h
renewBefore: 720h
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
dnsNames:
- webhook-service.webhook-system.svc
- webhook-service.webhook-system.svc.cluster.local
EOF
# Reference in webhook configuration
kubectl apply -f - <<EOF
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: my-webhook
annotations:
cert-manager.io/inject-ca-from: webhook-system/webhook-cert
webhooks:
- name: webhook.example.com
clientConfig:
service:
name: webhook-service
namespace: webhook-system
path: "/validate"
caBundle: "" # Injected by cert-manager
EOF
```### Caso d'Uso 4: Protezione Webhook Kubernetes
```bash
# Create certificate with short duration for testing
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: short-lived-cert
namespace: default
spec:
secretName: short-lived-tls
duration: 24h
renewBefore: 8h
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
dnsNames:
- test.example.com
EOF
# Monitor renewal
kubectl get certificate short-lived-cert -w
# Force immediate renewal
kubectl annotate certificate short-lived-cert \
cert-manager.io/issue-temporary-certificate="true" \
--overwrite
# Check renewal history
kubectl get certificaterequest -l cert-manager.io/certificate-name=short-lived-cert
# Verify new certificate
cmctl inspect secret short-lived-tls
```### Caso d'Uso 5: Rotazione e Rinnovo Certificati
`renewBefore`per impostare una finestra di rinnovo di almeno 1/3 della durata del certificato per consentire più tentativi di ripristino prima della scadenza
Would you like me to continue with the remaining translations?`certmanager_certificate_expiration_timestamp_seconds`
- **Usa DNS-01 per wildcard e servizi interni**: La sfida DNS-01 è richiesta per certificati wildcard e funziona meglio per servizi non esposti a internet
- **Implementa RBAC appropriato**: Limita l'accesso a Issuers e segreti dei certificati utilizzando Kubernetes RBAC per prevenire la creazione non autorizzata di certificati
- **Versiona le tue configurazioni**: Archivia i manifesti di Certificate e Issuer in Git per tracciare le modifiche e abilitare workflow GitOps
- **Usa issuer separati per ambiente**: Crea issuer diversi per dev/staging/prod per isolare le credenziali e prevenire problemi di certificati tra ambienti
- **Abilita l'iniezione CA per webhook**: Usa
`cert-manager.io/inject-ca-from`l'annotazione per iniettare automaticamente bundle CA nelle configurazioni webhook
- **Pianifica il ripristino in caso di disastro**: Esegui il backup delle chiavi private CA e delle credenziali dell'account ACME archiviate nei segreti Kubernetes in un archivio esterno sicuro
## Risoluzione dei problemi
| Problema | Soluzione |
|-------|----------|
| **Certificate stuck in "Pending"** | Check certificate request: `kubectl describe certificaterequest <name>`. Look for ACME challenge failures or issuer configuration errors |
| **ACME HTTP-01 challenge failing** | Verify ingress is accessible: `curl http://<domain>/.well-known/acme-challenge/test`. Check ingress class matches solver configuration |
| **DNS-01 challenge timeout** | Confirm DNS provider credentials: `kubectl get secret <dns-secret> -o yaml`. Verify DNS propagation: `dig TXT _acme-challenge.<domain>` |
| **"Too many certificates" rate limit** | Passa al server di staging di Let's Encrypt o attendi 7 giorni. Controlla i limiti di utilizzo: https://letsencrypt.org/docs/rate-limits/ |
| **Certificate not renewing automatically** | Check `renewBefore` setting and cert-manager logs: `kubectl logs -n cert-manager deployment/cert-manager`. Verify controller is running |
| **Webhook connection failures** | Verify webhook service is running: `kubectl get svc -n cert-manager`. Check webhook certificate validity: `cmctl check api` |
| **CA injection not working** | Ensure cainjector is running: `kubectl get pods -n cert-manager`. Verify annotation syntax: `cert-manager.io/inject-ca-from: namespace/certificate` |
| **Certificate shows "Ready=False"** | Get detailed status: `cmctl status certificate <name>`. Check events: `kubectl get events --field-selector involvedObject.name=<cert-name>` |
| **Order stuck in "Pending"** | Delete order to retry: `kubectl delete order <order-name>`. Certificate controller will create new order automatically |
| **Secret not created after certificate ready** | Check secret name matches `secretName` in Certificate spec. Verify namespace: `kubectl get secret <name> -n <namespace>` |
| **Wildcard certificate validation fails** | Assicurarsi che il risolutore DNS-01 sia configurato (HTTP-01 non supporta i wildcard). Verificare i permessi del provider DNS per la creazione di record TXT |
| **Certificate shows wrong issuer** | Delete certificate request: `kubectl delete certificaterequest <name>`. Update Certificate spec with correct `issuerRef` |
| **High memory usage** | Reduce certificate count or increase resources: `kubectl set resources deployment cert-manager -n cert-manager --limits=memory=512Mi` |
| **Duplicate certificates created** | Check for multiple Certificate resources with same `secretName`. Remove duplicates to prevent conflicts |
| **ACME account registration fails** | Verifica il formato dell'email nella specifica dell'emittente. Controlla che l'URL del server ACME sia corretto. Esamina i log di cert-manager per messaggi di errore dettagliati |
### Sequenza di Comandi di Debug
```bash
# Complete troubleshooting workflow
kubectl describe certificate <cert-name>
kubectl get certificaterequest -l cert-manager.io/certificate-name=<cert-name>
kubectl describe certificaterequest <request-name>
kubectl get order
kubectl describe order <order-name>
kubectl get challenge
kubectl describe challenge <challenge-name>
kubectl logs -n cert-manager deployment/cert-manager --tail=100Pattern di Log Comuni
Would you like me to complete the remaining sections (3 and 4) or were those intentionally left blank?```bash
Search for specific certificate errors
kubectl logs -n cert-manager deployment/cert-manager | grep “certificate=
Find ACME challenge errors
kubectl logs -n cert-manager deployment/cert-manager | grep “challenge”
Check for rate limit errors
kubectl logs -n cert-manager deployment/cert-manager | grep “rate limit”
Monitor certificate renewal attempts
kubectl logs -n cert-manager deployment/cert-manager -f | grep “renewal”