Examples - Use ACME clients with Certificate Manager

This article describes how to use Certbot and Kubernetes cert-manager as ACME clients with Smart ID Certificate Manager (CM).

Examples using Certbot

Example values

Values used in this example that you need to replace to different in your setup:

Parameter	Example value	Description
--server	`https://host.example.com/pgwy/acme/directory`	This URL points to the Protocol Gateway installation that should act as ACME server.
--email	`ca-admin@example.com`	Change to a valid email adress for your organisation
--eab-kid	`keyID: "1"`	The pre-registration keyid described in Example: ACME configuration in Protocol Gateway.
--eab-hmac-key	`lMA3WzMn5SPZZo1_I1_sa1DQESG4T2-2kV8WaFX7GCk`	The pre-registration hmac-key described in Example: ACME configuration in Protocol Gateway.

Example using certbot client without pre-registration

This is an example of using the certbot client to issue a single certificate from Protocol Gateway and CM.

Example using certbot

CODE

certbot certonly \
--agree-tos \
--email ca-admin@example.com \
--domain example.com \
--server https://host.example.com/pgwy/acme/directory

Example using certbot client with pre-registration

This is an example of using the certbot client to issue a single certificate from Protocol Gateway and CM.

Example using certbot

CODE

certbot certonly \
     --agree-tos \
     --email ca-admin@example.com \
     --domain example.com \
     --server https://host.example.com/pgwy/acme/directory \
     --eab-kid certbot-kid-1 \
     --eab-hmac-key lMA3WzMn5SPZZo1_I1_sa1DQESG4T2-2kV8WaFX7GCk

Example using Kubernetes.io and Cert-manager.io

This example is based on the documentation here: https://cert-manager.io/docs/configuration/acme/

The CM installation and the Kubernetes cluster need to have connectivity with each other and an Ingress handler should be installed on the Kubernetes cluster. This example will use traefik. That requirement is needed for the ACME HTTP01 solver, if no such network connection is possible but the CM install could reach the DNS server you can use the DNS01 solver instead, read https://cert-manager.io/docs/configuration/acme/dns01/ for more information.

Prerequisites

The following prerequisites apply for this example:

Cert-manager 1.0 is installed in the cert-manager namespace on the Kubernetes cluster.
CM 8.3 or later is installed and ACME is configured according to: Example: ACME configuration in Protocol Gateway.

Example: ACME configuration in Protocol Gateway

Example values

Values used in this example that you need to replace to different in your setup:

Parameter	Example value	Description
server	`https://host.example.com/pgwy/acme/directory`	This URL points to the Protocol Gateway installation that should act as ACME server.
email	`ca-admin@example.com`	Change to a valid email adress for your organisation
name	`test-demo-cm.example.com`	Example DNS name that a certificate shall be issued to.
keyID	`keyID: "1"`	The pre-registration keyid described in Example: ACME configuration in Protocol Gateway.
secret	`lMA3WzMn5SPZZo1_I1_sa1DQESG4T2-2kV8WaFX7GCk`	The pre-registration hmac-key described in Example: ACME configuration in Protocol Gateway.

Create connection to Certificate Manager by creating a ClusterIssuer with pre-registration

Before certificates can be created with cert-manager, there must be a connection between cert-manager and CM. To set up the connection, a ClusterIssuer must be created. In this example, a ClusterIssuer is set up with a pre-registration key and HTTP solver based on: https://cert-manager.io/docs/configuration/acme/. To setup the ClusterIssuer is a system admin task and we use the cert-manager namespace and use another namespace for the "user" certificates in later steps.

To set up connection between cert-manager and Smart ID Certificate Manager:

Change to the namespace of that cert-manager is installed in.
Change default namespace

CODE
```
kubectl config set-context --current --namespace=cert-manager
```
In Kubernetes all sensitive information should be stored in secrets, this example creates a secret with the pre-registration key.
Create secret with pre-registration key

CODE
```
kubectl create secret generic demo-cm-id1 --from-literal secret=lMA3WzMn5SPZZo1_I1_sa1DQESG4T2-2kV8WaFX7GCk
```
Create a file called clusterissuer.yaml with the following information. Change the keyID "1" in line 11,14, and 16 to the your local keyID and the secret in line 14 to the secret created in the step aboe. The secret in line 16 need to be unique secret per ClusterIssuer. Change url to Protocol Gateway in lin 17, and ingress class in line 22. The skipTLSVerify: true on line 18 is required if your CM Protocol Gateway installation is not running with a certificate trusted by the cert-manager.io (ie public certificate)
clusterissuer.yaml

XML
```
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: demo-cm-id1
  namespace: cert-manager
spec:
  acme:
    email: ca-admin@example.com
    externalAccountBinding:
      keyAlgorithm: HS256
      keyID: "1"
      keySecretRef:
        key: secret
        name: demo-cm-id1
    privateKeySecretRef:
      name: demo-cm-id1-private-key
    server: https://host.example.com/pgwy/acme/directory
    skipTLSVerify: true
    solvers:
    - http01:
        ingress:
          class: traefik 
```
Create the ClusterIssuer by running the command:
Create ClusterIssuer

CODE
```
kubectl create -f clusterissuer.yaml
```

To show the details on the ClusterIssuer run this command:

Example: Show information

CODE

kubectl describe clusterissuer demo-cm-id1

A sample output below, the important part is the status type in the end, showing that it's Ready, eq working.

Example output

CODE

Name:         demo-cm-id1
Namespace:
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         ClusterIssuer
Metadata:
  Creation Timestamp:  2020-09-08T09:02:26Z
  Generation:          1
  Resource Version:    24444944
  Self Link:           /apis/cert-manager.io/v1/clusterissuers/demo-cm-id1
  UID:                 554262b6-7678-4960-9e2b-5acf7923eecc
Spec:
  Acme:
    Email:  ca-admin@example.com
    External Account Binding:
      Key Algorithm:  HS256
      Key ID:         1
      Key Secret Ref:
        Key:          secret
        Name:         demo-cm-id1
    Preferred Chain:
    Private Key Secret Ref:
      Name:           demo-cm-private-key
    Server:           https://host.example.com/pgwy/acme/directory
    Skip TLS Verify:  true
    Solvers:
      http01:
        Ingress:
          Class:  traefik
Status:
  Acme:
    Last Registered Email:  ca-admin@example.com
    Uri:                    https://host.example.com/pgwy/acme/directory/account/6RqONO6qnQXsLnyDjVcuTA
  Conditions:
    Last Transition Time:  2020-09-08T09:02:30Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

Issue a certificate

The next step is to issue a certificate which can be used inside Kubernetes. This example is based on: https://cert-manager.io/docs/usage/certificate/:

Create a new namespace, as part of the Kubernetes cluster, and change so that namespace is default
Example: Create new namespace

CODE
```
kubectl create namespace demo
kubectl config set-context --current --namespace=demo
```

Create a file called certificate.yaml with the following information. Change to the your local dnsNames (line 7) and ClusterIssuer (line 11).

Example: certificate.yaml

CODE

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-demo-cm
spec:
  dnsNames:
  - test-demo-cm.demo.com
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: demo-cm-id1
  secretName: test-demo-cm

Create the certificate object:
Example: Create certificate

CODE
```
kubectl create -f certificate.yaml
```

When the certificate object is created, you can check the status by running the following command.
The sample below is from 12 seconds after the certificate object is created, and the certificate is not yet valid (line 29-30).

Example: Check status of certificate (non-ready)

CODE

kubectl describe certificate.cert-manager.io/test-demo-cm
Name:         test-demo-cm
Namespace:    demo
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2020-09-09T07:43:11Z
  Generation:          1
  Resource Version:    24662332
  Self Link:           /apis/cert-manager.io/v1/namespaces/mikan-cm/certificates/test-demo-cm
  UID:                 4c48b373-9f58-4015-b046-18ee74dd4191
Spec:
  Dns Names:
    test-demo-cm.demo.com
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       ClusterIssuer
    Name:       demo-cm
  Secret Name:  test-demo-cm
Status:
  Conditions:
    Last Transition Time:        2020-09-09T07:43:11Z
    Message:                     Certificate expired on Wed, 09 Sep 2020 05:47:14 UTC
    Reason:                      Expired
    Status:                      False
    Type:                        Ready
    Last Transition Time:        2020-09-09T07:43:12Z
    Message:                     Renewing certificate as renewal was scheduled at 2020-09-09 05:43:54 +0000 UTC
    Reason:                      Renewing
    Status:                      True
    Type:                        Issuing
  Next Private Key Secret Name:  test-demo-cm-p5t8b
  Not After:                     2020-09-09T05:47:14Z
  Not Before:                    2020-09-09T05:37:14Z
  Renewal Time:                  2020-09-09T05:43:54Z
Events:
  Type    Reason     Age   From          Message
  ----    ------     ----  ----          -------
  Normal  Issuing    12s   cert-manager  Renewing certificate as renewal was scheduled at 2020-09-09 05:43:54 +0000 UTC
  Normal  Reused     12s   cert-manager  Reusing private key stored in existing Secret resource "test-demo-cm"
  Normal  Requested  12s   cert-manager  Created new CertificateRequest resource "test-demo-cm-4qxvv"

You can now follow the ACME protocol flow by running the describe command on multiple cert-manager objects. See a sample flow below.
For more information, see https://cert-manager.io/docs/concepts/acme-orders-challenges/

Example: Cert-manager ACME flow

CODE

$ kubectl describe certificaterequest test-demo-cm-4qxvv
Name:         test-demo-cm-4qxvv
Namespace:    demo
Labels:       <none>
Annotations:  cert-manager.io/certificate-name: test-demo-cm
              cert-manager.io/certificate-revision: 1
              cert-manager.io/private-key-secret-name: test-demo-cm-p5t8b
API Version:  cert-manager.io/v1
Kind:         CertificateRequest
Metadata:
  Creation Timestamp:  2020-09-09T07:43:12Z
  Generate Name:       test-demo-cm-
  Generation:          1
  Owner References:
    API Version:           cert-manager.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Certificate
    Name:                  test-demo-cm
    UID:                   4c48b373-9f58-4015-b046-18ee74dd4191
  Resource Version:        24662343
  Self Link:               /apis/cert-manager.io/v1/namespaces/demo/certificaterequests/test-demo-cm-4qxvv
  UID:                     db9eaaaa-36d9-481c-a9c3-4f0d0c339de4
Spec:
  Issuer Ref:
    Group:  cert-manager.io
    Kind:   ClusterIssuer
    Name:   demo-cm
  Request:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ3BqQ0NBWTRDQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwrQQp3eFJkdWZoZE1hUDlVZDNkQ3hhd0paczZwOTQvMGNGV1hyaG02a3FTcVZSdW51SGp2NGl0aG9BR29oTnpzM3h4ClNkUUV4OWgyaVRhSUoxWUhNbmNRZXE0VXJhNUhkOE1mTVk3ZFMxNUF4Yk5XMnh3c2oyUGR2Mmp2MEU0Ky9OL3IKMzgzaGlkOVFCOGF6Qi9WN09VeEtVajlONEhQVjFLMVFoYXQya2VyQVBrdHlaNy9HOGdCTC9FSlF4bUQvTnF3cwpQREZzRkJiczBrVjd1anNqN3YrQXVlODFpNi9vYWtnajhqMzN6ZlZsRmZIeWphZFZuWFlwY0NiSTBXZ2czRXZ2Cm1xWEovMFBlS3VQamN4bjh5VG00RUVURUk1RzBROWprcFo1NXk4TFVHU25NcndwVDJhYWQ0bVh6WDY4S1VWNVoKR1RpQkhZdmF5TTgyeEVOQWxrTUNBd0VBQWFCaE1GOEdDU3FHU0liM0RRRUpEakZTTUZBd05nWURWUjBSQkM4dwpMWUlyZEdWemRDMWtaVzF2TFdOdE1UTTNMbTFwYTJGdUxXTnRMbTF6WkdWMkxtRjZMbTU0YzJGekxtTnZiVEFMCkJnTlZIUThFQkFNQ0JhQXdDUVlEVlIwbEJBSXdBREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZHgybWdJTjQKUkM2V2VpVmpMSWluN2xZR2Y1QVM0SndGT2VhNHB3ZVNFMndQaWptNUNMMWdsYnpHbUhSVmE1cW12bmVodEFubApOUzZWNi9ReHVMdGxPTXptdFJENElYSFA0SWpDRVpFdm1WeVpydGZzL1BiQXFSaXo1bU9xOFIraDFMTWpSZmp2CjRoTUxjRC9xdWE5dm5JUHNtZjZ5blpHL1Q0RHcxZzd1UGcya2lrWDhZeE5zTEF2c3JSQ0xLcjZYRXNwOUY3eE4KZy9BSGk5ZG5pdVRoVG9OUXJUeHRldE96WnE2eTV1MU44VG5pMFhyL2hmRFNkSXlNMFpqNjJXUDFpNyt3ek0vRQpFazEzdy9yMEZZU21zYnBPSlVGekFFYUVKalFGRVc4OUR1Y29LVmlHMVB4K25iUWp1M1hYWGZMQ3g5M0xtOXFNCkZSQk1uclMzN0ZMeUZBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
Status:
  Conditions:
    Last Transition Time:  2020-09-09T07:43:12Z
    Message:               Waiting on certificate issuance from order demo/test-demo-cm-4qxvv-1625194031: "pending"
    Reason:                Pending
    Status:                False
    Type:                  Ready
Events:
  Type    Reason        Age   From          Message
  ----    ------        ----  ----          -------
  Normal  OrderCreated  22s   cert-manager  Created Order resource demo/test-demo-cm-4qxvv-1625194031
$ kubectl describe order test-demo-cm-4qxvv-1625194031
Name:         test-demo-cm-4qxvv-1625194031
Namespace:    demo
Labels:       <none>
Annotations:  cert-manager.io/certificate-name: test-demo-cm
              cert-manager.io/certificate-revision: 1
              cert-manager.io/private-key-secret-name: test-demo-cm-p5t8b
API Version:  acme.cert-manager.io/v1
Kind:         Order
Metadata:
  Creation Timestamp:  2020-09-09T07:43:12Z
  Generation:          1
  Owner References:
    API Version:           cert-manager.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  CertificateRequest
    Name:                  test-demo-cm-4qxvv
    UID:                   db9eaaaa-36d9-481c-a9c3-4f0d0c339de4
  Resource Version:        24662344
  Self Link:               /apis/acme.cert-manager.io/v1/namespaces/demo/orders/test-demo-cm-4qxvv-1625194031
  UID:                     c569526a-37ff-4ccc-a18b-8f5dcba5f2ef
Spec:
  Dns Names:
    test-demo-cm.demo.com
  Issuer Ref:
    Group:  cert-manager.io
    Kind:   ClusterIssuer
    Name:   demo-cm
  Request:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ3BqQ0NBWTRDQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwrQQp3eFJkdWZoZE1hUDlVZDNkQ3hhd0paczZwOTQvMGNGV1hyaG02a3FTcVZSdW51SGp2NGl0aG9BR29oTnpzM3h4ClNkUUV4OWgyaVRhSUoxWUhNbmNRZXE0VXJhNUhkOE1mTVk3ZFMxNUF4Yk5XMnh3c2oyUGR2Mmp2MEU0Ky9OL3IKMzgzaGlkOVFCOGF6Qi9WN09VeEtVajlONEhQVjFLMVFoYXQya2VyQVBrdHlaNy9HOGdCTC9FSlF4bUQvTnF3cwpQREZzRkJiczBrVjd1anNqN3YrQXVlODFpNi9vYWtnajhqMzN6ZlZsRmZIeWphZFZuWFlwY0NiSTBXZ2czRXZ2Cm1xWEovMFBlS3VQamN4bjh5VG00RUVURUk1RzBROWprcFo1NXk4TFVHU25NcndwVDJhYWQ0bVh6WDY4S1VWNVoKR1RpQkhZdmF5TTgyeEVOQWxrTUNBd0VBQWFCaE1GOEdDU3FHU0liM0RRRUpEakZTTUZBd05nWURWUjBSQkM4dwpMWUlyZEdWemRDMWtaVzF2TFdOdE1UTTNMbTFwYTJGdUxXTnRMbTF6WkdWMkxtRjZMbTU0YzJGekxtTnZiVEFMCkJnTlZIUThFQkFNQ0JhQXdDUVlEVlIwbEJBSXdBREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZHgybWdJTjQKUkM2V2VpVmpMSWluN2xZR2Y1QVM0SndGT2VhNHB3ZVNFMndQaWptNUNMMWdsYnpHbUhSVmE1cW12bmVodEFubApOUzZWNi9ReHVMdGxPTXptdFJENElYSFA0SWpDRVpFdm1WeVpydGZzL1BiQXFSaXo1bU9xOFIraDFMTWpSZmp2CjRoTUxjRC9xdWE5dm5JUHNtZjZ5blpHL1Q0RHcxZzd1UGcya2lrWDhZeE5zTEF2c3JSQ0xLcjZYRXNwOUY3eE4KZy9BSGk5ZG5pdVRoVG9OUXJUeHRldE96WnE2eTV1MU44VG5pMFhyL2hmRFNkSXlNMFpqNjJXUDFpNyt3ek0vRQpFazEzdy9yMEZZU21zYnBPSlVGekFFYUVKalFGRVc4OUR1Y29LVmlHMVB4K25iUWp1M1hYWGZMQ3g5M0xtOXFNCkZSQk1uclMzN0ZMeUZBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
Status:
  Authorizations:
    Challenges:
      Token:        AAbLo32puww081z5oKhzxg
      Type:         dns-01
      URL:          https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/authz/4aaWKMpvYD90KI-s_C7JXQ/dns-01
      Token:        AAbLo32puww081z5oKhzxg
      Type:         http-01
      URL:          https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/authz/4aaWKMpvYD90KI-s_C7JXQ/http-01
    Identifier:     test-demo-cm.demo.com
    Initial State:  pending
    URL:            https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/authz/4aaWKMpvYD90KI-s_C7JXQ
    Wildcard:       false
  Finalize URL:     https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/finalize
  State:            pending
  URL:              https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg
Events:
  Type    Reason   Age   From          Message
  ----    ------   ----  ----          -------
  Normal  Created  53s   cert-manager  Created Challenge resource "test-demo-cm-4qxvv-1625194031-543829935" for domain "test-demo-cm.demo.com"
$ kubectl describe order test-demo-cm-4qxvv-1625194031
Name:         test-demo-cm-4qxvv-1625194031
Namespace:    demo
Labels:       <none>
Annotations:  cert-manager.io/certificate-name: test-demo-cm
              cert-manager.io/certificate-revision: 1
              cert-manager.io/private-key-secret-name: test-demo-cm-p5t8b
API Version:  acme.cert-manager.io/v1
Kind:         Order
Metadata:
  Creation Timestamp:  2020-09-09T07:43:12Z
  Generation:          1
  Owner References:
    API Version:           cert-manager.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  CertificateRequest
    Name:                  test-demo-cm-4qxvv
    UID:                   db9eaaaa-36d9-481c-a9c3-4f0d0c339de4
  Resource Version:        24662551
  Self Link:               /apis/acme.cert-manager.io/v1/namespaces/demo/orders/test-demo-cm-4qxvv-1625194031
  UID:                     c569526a-37ff-4ccc-a18b-8f5dcba5f2ef
Spec:
  Dns Names:
    test-demo-cm.demo.com
  Issuer Ref:
    Group:  cert-manager.io
    Kind:   ClusterIssuer
    Name:   demo-cm
  Request:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ3BqQ0NBWTRDQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwrQQp3eFJkdWZoZE1hUDlVZDNkQ3hhd0paczZwOTQvMGNGV1hyaG02a3FTcVZSdW51SGp2NGl0aG9BR29oTnpzM3h4ClNkUUV4OWgyaVRhSUoxWUhNbmNRZXE0VXJhNUhkOE1mTVk3ZFMxNUF4Yk5XMnh3c2oyUGR2Mmp2MEU0Ky9OL3IKMzgzaGlkOVFCOGF6Qi9WN09VeEtVajlONEhQVjFLMVFoYXQya2VyQVBrdHlaNy9HOGdCTC9FSlF4bUQvTnF3cwpQREZzRkJiczBrVjd1anNqN3YrQXVlODFpNi9vYWtnajhqMzN6ZlZsRmZIeWphZFZuWFlwY0NiSTBXZ2czRXZ2Cm1xWEovMFBlS3VQamN4bjh5VG00RUVURUk1RzBROWprcFo1NXk4TFVHU25NcndwVDJhYWQ0bVh6WDY4S1VWNVoKR1RpQkhZdmF5TTgyeEVOQWxrTUNBd0VBQWFCaE1GOEdDU3FHU0liM0RRRUpEakZTTUZBd05nWURWUjBSQkM4dwpMWUlyZEdWemRDMWtaVzF2TFdOdE1UTTNMbTFwYTJGdUxXTnRMbTF6WkdWMkxtRjZMbTU0YzJGekxtTnZiVEFMCkJnTlZIUThFQkFNQ0JhQXdDUVlEVlIwbEJBSXdBREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZHgybWdJTjQKUkM2V2VpVmpMSWluN2xZR2Y1QVM0SndGT2VhNHB3ZVNFMndQaWptNUNMMWdsYnpHbUhSVmE1cW12bmVodEFubApOUzZWNi9ReHVMdGxPTXptdFJENElYSFA0SWpDRVpFdm1WeVpydGZzL1BiQXFSaXo1bU9xOFIraDFMTWpSZmp2CjRoTUxjRC9xdWE5dm5JUHNtZjZ5blpHL1Q0RHcxZzd1UGcya2lrWDhZeE5zTEF2c3JSQ0xLcjZYRXNwOUY3eE4KZy9BSGk5ZG5pdVRoVG9OUXJUeHRldE96WnE2eTV1MU44VG5pMFhyL2hmRFNkSXlNMFpqNjJXUDFpNyt3ek0vRQpFazEzdy9yMEZZU21zYnBPSlVGekFFYUVKalFGRVc4OUR1Y29LVmlHMVB4K25iUWp1M1hYWGZMQ3g5M0xtOXFNCkZSQk1uclMzN0ZMeUZBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
Status:
  Authorizations:
    Challenges:
      Token:        AAbLo32puww081z5oKhzxg
      Type:         dns-01
      URL:          https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/authz/4aaWKMpvYD90KI-s_C7JXQ/dns-01
      Token:        AAbLo32puww081z5oKhzxg
      Type:         http-01
      URL:          https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/authz/4aaWKMpvYD90KI-s_C7JXQ/http-01
    Identifier:     test-demo-cm.demo.com
    Initial State:  pending
    URL:            https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/authz/4aaWKMpvYD90KI-s_C7JXQ
    Wildcard:       false
  Certificate:      LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURpRENDQW5DZ0F3SUJBZ0lRUUF4ZDNneXBGVWZQZElZU0RDeFhFREFOQmdrcWhraUc5dzBCQVFzRkFEQk8KTVFzd0NRWURWUVFHRXdKVFJ6RWRNQnNHQTFVRUNoTVVUbVY0ZFhNZ1ZHVnpkQ0JUWlhSMWNDQTRMakl4SURBZQpCZ05WQkFNVEYwNWxlSFZ6SUZSbGMzUWdVMlYwZFhBZ09DNHlJRU5CTUI0WERUSXdNRGt3T1RBM05EUXhObG9YCkRUSXdNRGt3T1RBM05UUXhObG93TmpFME1ESUdBMVVFQXhNcmRHVnpkQzFrWlcxdkxXTnRNVE0zTG0xcGEyRnUKTFdOdExtMXpaR1YyTG1GNkxtNTRjMkZ6TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQwpBUW9DZ2dFQkFMK0F3eFJkdWZoZE1hUDlVZDNkQ3hhd0paczZwOTQvMGNGV1hyaG02a3FTcVZSdW51SGp2NGl0CmhvQUdvaE56czN4eFNkUUV4OWgyaVRhSUoxWUhNbmNRZXE0VXJhNUhkOE1mTVk3ZFMxNUF4Yk5XMnh3c2oyUGQKdjJqdjBFNCsvTi9yMzgzaGlkOVFCOGF6Qi9WN09VeEtVajlONEhQVjFLMVFoYXQya2VyQVBrdHlaNy9HOGdCTAovRUpReG1EL05xd3NQREZzRkJiczBrVjd1anNqN3YrQXVlODFpNi9vYWtnajhqMzN6ZlZsRmZIeWphZFZuWFlwCmNDYkkwV2dnM0V2dm1xWEovMFBlS3VQamN4bjh5VG00RUVURUk1RzBROWprcFo1NXk4TFVHU25NcndwVDJhYWQKNG1Yelg2OEtVVjVaR1RpQkhZdmF5TTgyeEVOQWxrTUNBd0VBQWFONk1IZ3dDUVlEVlIwbEJBSXdBREFSQmdOVgpIUTRFQ2dRSVN6Z21uMzVuV244d05nWURWUjBSQkM4d0xZSXJkR1Z6ZEMxa1pXMXZMV050TVRNM0xtMXBhMkZ1CkxXTnRMbTF6WkdWMkxtRjZMbTU0YzJGekxtTnZiVEFUQmdOVkhTTUVEREFLZ0FoTUxnRkpBRzM0ZVRBTEJnTlYKSFE4RUJBTUNCYUF3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUF6Z1N4b0wwakJQSWR4OHhVUjVVUThRZlY1ZApSRVBGcWt1NlYrZzgyamdmb3UrNVFjbVFEWkljenA3WjM2ak1oTzJSYlliSUdGUll3c3RsNTRIa003TVE0d1ZnCmhjSDRrTDNQWGF0TG1OSzV4elY0TGtIb05TVys1Wk44T2JWNnVTSkhnd2lrWktrNXZyVzVVeW5aYkxXSWZDQ0YKTENLcm5wVUZzK09PR0kxNGFSYlpzZVdBb0M0WVhvMGlNcDZsYlA2bDNOR0dkUHQ2KytERnN3MjRZZmE1NDlzVgpZWXViZDJDTnNHTy94ckdkN1JKU3VZdTJ2UVJRdGw3TzBnL05hZHJjZEZjOVRyUkxWdVJiTGx0dGFFTm4zeSsxCkg1TEJCRGlMQkxJbUhpZmp4SmlCTnJJdVRUVTRkNW5ZcTlHM0RpeXY0Wnd4eHY0NmpQSjZoWUVyYnhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlEWERDQ0FrU2dBd0lCQWdJUVZiamlkckhLM3B0MjdpVVhoYmpiampBTkJna3Foa2lHOXcwQkFRc0ZBREJPCk1Rc3dDUVlEVlFRR0V3SlRSekVkTUJzR0ExVUVDaE1VVG1WNGRYTWdWR1Z6ZENCVFpYUjFjQ0E0TGpJeElEQWUKQmdOVkJBTVRGMDVsZUhWeklGUmxjM1FnVTJWMGRYQWdPQzR5SUVOQk1CNFhEVEl3TURReU56QTVORGN3TkZvWApEVE13TURReU56QTVORGN3TkZvd1RqRUxNQWtHQTFVRUJoTUNVMGN4SFRBYkJnTlZCQW9URkU1bGVIVnpJRlJsCmMzUWdVMlYwZFhBZ09DNHlNU0F3SGdZRFZRUURFeGRPWlhoMWN5QlVaWE4wSUZObGRIVndJRGd1TWlCRFFUQ0MKQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLQmhGMHdCTHpLMjJ1dlZGS3k2UzBJbQpUNEliQWk0NE9iOVVMZG9EanV5cExrUURMcjlON001U2pzVDZ2eTNmb1RYb21sMFY1Wis5OE9mbTJzVUE2d2dqCnFiQWptRUg3OVorSFpyWUdpQ1daZkxwSGJJQWdsaGdGQ3dTTUNma3pTMnRxOHRNeVYvZFNIK1I5aGJJdUFSSmEKcllybEhwNm9heldvRzkxN1RuL0oxUFBzdUoyZ0d1eEt5VWhWcEdEc3E2V1NvNTBYZUlXRHNxZ1NxRHI1SzFabwpZekIyYkp3MUttK2VibllURi9kYXBLa2ZtV3lEOHBqV1ZMbzU0YjJVMEpWa1BLRUtBcU1qTFZFcUdycldHYTFjCkttN0VqcnFlT1JKbm9UZjNaSG50S21zMXJCVUFXVkp6NnhwRW5oNDBteTJ3amw4a3czRW5pRW41WVBIV3gwRUMKQXdFQUFhTTJNRFF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFSQmdOVkhRNEVDZ1FJVEM0QlNRQnQrSGt3RGdZRApWUjBQQVFIL0JBUURBZ0VHTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDYjRBSTVMbFlLbyswTC81RU1DeTd5CjJKa0hKRzVDSUV4bWErakEwN3ZydjkySXYwQUFBejVQZTBUcnhHQzNTWFdsK1lJZmNJbGlEZExJNEZZaXRNWlUKemhiQ0Jwdys2MXpLenVHdmwycTZWMjd6SjNuZDRWenpKajhGN2NpUWprbU5XeG42bG1VSVVITkxYNGNUVmZSMApyNmdQa0pkeTJ2V2xFUVd2QlZxOEdveW82Mk1kdjBScXJSdlZxbkJxRWl2clVWcytqMkl1MEtHY2tPSmNPL0QxCjRPNHlvTUxCTTR5LzBkY0dlU2xGQk5EbmpUU3g3OTkwZHhqNEh6UGZtRTBvYXROQiszVVRER2lOSUsya0lCOHIKYjJid1NMektiYmFTaktkcGhWV2N1ZnBCanM3MGFXSk5Kd0x4MlZOVnRqWVVHMU9TRHBsTW5kbVNXNndaaThLMgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  Finalize URL:     https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/finalize
  State:            valid
  URL:              https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg
Events:
  Type    Reason    Age   From          Message
  ----    ------    ----  ----          -------
  Normal  Created   99s   cert-manager  Created Challenge resource "test-demo-cm-4qxvv-1625194031-543829935" for domain "test-demo-cm.demo.com"
  Normal  Complete  35s   cert-manager  Order completed successfully

After around a minute, the certificate should be ready. Most of the time is spent on Kubernetes' side, to setup the HTTP01 solver. In the sample output, look for the following information:
Status: True and Type: Ready (line 28-29) indicates that the certificate is ready.
In Events, you can see that the certificate has been renewed after around 8 minutes.

Example: Check status of certificate (ready)

CODE

kubectl describe certificate.cert-manager.io/test-demo-cm
Name:         test-demo-cm
Namespace:    demo
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2020-09-09T07:43:11Z
  Generation:          1
  Resource Version:    24663796
  Self Link:           /apis/cert-manager.io/v1/namespaces/demo/certificates/test-demo-cm
  UID:                 4c48b373-9f58-4015-b046-18ee74dd4191
Spec:
  Dns Names:
    test-demo-cm.demo.com
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       ClusterIssuer
    Name:       demo-cm
  Secret Name:  test-demo-cm
Status:
  Conditions:
    Last Transition Time:  2020-09-09T07:44:17Z
    Message:               Certificate is up to date and has not expired
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2020-09-09T08:01:59Z
  Not Before:              2020-09-09T07:51:59Z
  Renewal Time:            2020-09-09T07:58:39Z
  Revision:                2
Events:
  Type    Reason     Age                   From          Message
  ----    ------     ----                  ----          -------
  Normal  Issuing    9m36s                 cert-manager  Renewing certificate as renewal was scheduled at 2020-09-09 05:43:54 +0000 UTC
  Normal  Requested  9m36s                 cert-manager  Created new CertificateRequest resource "test-demo-cm-4qxvv"
  Normal  Reused     112s (x2 over 9m36s)  cert-manager  Reusing private key stored in existing Secret resource "test-demo-cm"
  Normal  Issuing    112s                  cert-manager  Renewing certificate as renewal was scheduled at 2020-09-09 07:50:56 +0000 UTC
  Normal  Requested  112s                  cert-manager  Created new CertificateRequest resource "test-demo-cm-k9zxc"
  Normal  Issuing    48s (x2 over 8m31s)   cert-manager  The certificate has been successfully issued

You can also check the secret that contains the actual certificate by using:

Check secret

CODE

kubectl describe secret test-demo-cm
Name:         test-demo-cm
Namespace:    demo
Labels:       <none>
Annotations:  cert-manager.io/alt-names: test-demo-cm.demo.com
              cert-manager.io/certificate-name: test-demo-cm
              cert-manager.io/common-name: test-demo-cm.demo.com
              cert-manager.io/ip-sans:
              cert-manager.io/issuer-group: cert-manager.io
              cert-manager.io/issuer-kind: ClusterIssuer
              cert-manager.io/issuer-name: demo-cm
              cert-manager.io/uri-sans:Type:  kubernetes.io/tlsData
====
tls.crt:  2509 bytes
tls.key:  1675 bytes

CI/CD tool integration based on ACME clients

For continuous integration and continuous delivery tools (CI/CD tools) integration based on ACME clients, see the links for information:

Ansible https://docs.ansible.com/ansible/latest/collections/community/crypto/acme_certificate_module.html contains a description on how you can use the ACME protocol to create and renew certificates.
Terraform, https://www.terraform.io/docs/providers/acme/index.html contains a description on how you can use the ACME protocol to create and renew certificates.

Examples using Certbot

Example using Kubernetes.io and Cert-manager.io

CI/CD tool integration based on ACME clients

Related information