Skip to content

letsencrypt

This plugin sets up the necessary Kubernetes objects to connect cert_manager with Let's Encrypt. By default, this plugin works with LetsEncrypt's staging API to avoid issues with blacklisting. To use the production API (i.e. to get valid certificates), change the value of config.environment to prod.

Configuration

# defaults
commands:
  install:
    script:
      - ansible-playbook k8s_letsencrypt.yml
  uninstall:
    script:
      - ansible-playbook k8s_letsencrypt.yml
namespace: cloudstack
version: latest
config:
  environment: staging|prod (default: staging)
  environments:
    - name: staging
      server: https://acme-staging-v02.api.letsencrypt.org/directory
    - name: prod
      server: https://acme-v02.api.letsencrypt.org/directory
  issuers:
    dns01:
      enabled: false
      provider: letsencrypt
      solver: cloudflare
      zone: ""
    http01:
      enabled: true
      provider: letsencrypt
  mail: ""

Default environment changed in 1.30.0

With cloudstack 1.30.0, the default environment for LetsEncrypt changed from prod to staging to mitigate issues with rate limits. Stacks deployed from older versions of cloudstack need to adapt their Stackfile accordingly to match the legacy default behaviour:

plugins:
  letsencrypt:
    environment: true

Last update: August 24, 2022