Create Let’s Encrypt certificate

Let’s Encrypt is a free, automated, and open Certificate Authority. It helps solve the problem of automatic HTTPS configuration on a server, where SSL/TLS certificates are issued and renewed without human participation.

You can install Let's Encrypt certificate in BRIX On-Premises Enterprise. Let's look at how to perform such installation.

To create a Let's Encrypt certificate, follow these steps:

1. Install the Cert-manager add-on component.
2. Create the file cluster-issuer.yaml:

nano cluster-issuer.yaml

To initiate the certificate order procedure in a Kubernetes cluster, certification authority (CA) resources that are used to sign Certificate Signing Requests (CSRs) must be declared. Depending on the desired scope, you can declare the appropriate resource:

• Issuer: Can be used within a single namespace;
• ClusterIssuer : Is a global cluster-wide object.

3. Insert the following values into the cluster-issuer.yaml file:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: elma365-certificate
spec:
  acme:
    email: your_email@mail_server_domain
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: elma365-certificate
    solvers:
      - http01:
          ingress:
            class: nginx

where:

• spec.acme.email is your email address;
• spec.acme.server is the server address.  Let's Encrypt has a limitation on the number of issued certificates, approximately five per week. For debugging purposes, you can use the server address of another issuer without limitations: https://acme-staging-v02.api.letsencrypt.org/directory.

4. Apply the cluster-issuer.yaml file to the cluster:

kubectl apply -f cluster-issuer.yaml

5. Create a yaml-file for certificate create-elma365-certificate.yaml:

nano create-elma365-certificate.yaml

6. Modify the file create-elma365-certificate.yaml:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: elma365-tls-certificate
  namespace: [namespace]
spec:
  secretName: elma365-onpremise-tls
  issuerRef:
    kind: ClusterIssuer
    name: elma365-certificate
  commonName: elma365_server.your_domain
  dnsNames:
  - elma365_server.your_domain

where:

• metadata.namespace is the name of the target namespace where the certificate should be placed.;
• spec.commonName and dnsNames are the fully qualified domain name (FQDN) for which the certificate should be issued (replace "elma365_server.your_domain").

начало внимание

The secret with the certificate must be created in the same namespace in which the target application is running or will be installed, for which the certificate is being issued.

For the BRIX application, the standard namespace is elma365.

For embedded databases the standard namespace is elma365-dbs.

конец внимание

7. Apply the certificate to the cluster:

kubectl apply -f create-elma365-certificate.yaml

8. To install or update the BRIX application or embedded databases use the secret elma365-onpremise-tls (the name specified in the parameter spec.secretName).

Was this helpful?

Thanks for your feedback!

Please specify why:

Recommendations did not help meArticle is hard to understandDidn`t answer my questionContent does not match the topicOther

How we can improve it?

YesNo

Please specify whyRecommendations did not help meArticle is hard to understandDidn`t answer my questionContent does not match the topicOther