Skip to main content


Cert-Manager gives you free SSL certificates. Who doesn't like that?

It basically uses Let's Encrypt to encapsulate all the logic required to prove your ownership of a domain. Plus, it is able to do certificate provisioning dynamically based on your Ingress definitions.

Basic configuration

Once you installed Cert-Manager, you have to define a custom resource to configure:

  • your email, so Let's Encrypt can give you heads-ups about expiring certifications
  • the domain verification strategy
  • the ingress class
kind: ClusterIssuer
name: letsencrypt
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
# Secret resource that will be used to store the account's private key.
name: letsencrypt
# Add a single challenge solver, HTTP01 using nginx
- http01:
class: nginx

From here on, for every Ingress resource you create, Cert-Manager will try to provision an SSL certificate.

Day-two operations

When certificates are not provisioned

It is good practice to check the logs of the Cert-Manager pods. You will see some activity when you create or recreate an ingress.

If the logs keep displaying the same messages, or if there is no activity at all, you can browse the custom resources (CRDs) Cert-Manager places on your cluster.

To list the Cert-Manager related CRDs:

$kubectl get crds | grep cert 2020-09-15T07:44:28Z 2020-09-15T07:44:28Z 2020-09-15T07:44:28Z 2020-09-15T07:44:28Z 2020-09-15T07:44:28Z 2020-09-15T07:44:28Z

To see your certificates and ongoing provisions:

kubectl get -A
kubectl get -A
kubectl get -A

If you located the resources that are related to your ingress, try running kubectl describe on them to reveal error messages. Eventually, delete the custom resources to trigger a retry in the provisioning process.

Updating Cert-Manager

Cert-Manager updates are usually seamless, but keep an eye out for the release notes, as the project does a very good job at highlighting possible breaking changes in each update.

If you use Gimlet Stack's curated update stream, you will get notified, if an update needs special attention.