Support for Lets Encrypt cert auto generation on AKS API Servers with private IP Addresses

Garsha Rostami 121

Is Cert Manager/Let's Encrypt certificate auto-generation supported on Application Gateway Ingress for AKS clusters whose API servers don’t have public IP addresses (e.g. API Server Vnet integration)? I haven’t been able to make it work. It works fine with clusters whose API servers have a public IP but not for clusters with private IPs. Even though the ingress controllers have public IP addresses, the ACME challenge (using HTTP01 validation) should work, but it looks like the challenge/response doesn't succeed and certs are not generated. I want to get a definite answer from the Azure Application Gateway Ingress team if leveraging Lets Encrypt auto-generated certs requires that the API server have a public IP address. Thanks!

ChaitanyaNaykodi-MSFT 26,961 Reputation points Microsoft Employee

2025-01-08T18:38:55.9033333+00:00

@Garsha Rostami

Thank you for reaching out.

I have reached out to the team internally regarding this issue and will make an update here as soon as I get a response. Thank you!
Garsha Rostami 121 Reputation points

2025-01-10T19:54:09.4766667+00:00

??? No one has responded yet?
Garsha Rostami 121 Reputation points

2025-01-10T19:54:57.71+00:00

What is the status of this? Thanks.
ChaitanyaNaykodi-MSFT 26,961 Reputation points Microsoft Employee

2025-01-13T22:50:09.2966667+00:00

@Garsha Rostami

Thank you for your patience here I am still discussing this issue with the team internally and will share an update as soon as I have additional details.

Meanwhile, a quick clarification question here

Can you please let us know if you are using Application Gateway Ingress Controller (AGIC) in this case?
OR you are using Application gateway for Containers (AGC)?

Using Application Gateway for Containers is the recommended service here.

References:

AGIC Approach: https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-letsencrypt-certificate-application-gateway

AGC Approach: https://learn.microsoft.com/en-us/azure/application-gateway/for-containers/how-to-cert-manager-lets-encrypt-gateway-api?tabs=alb-managed

Thank you!

1 answer

Garsha Rostami 121 Reputation points

2025-01-17T00:57:47.7933333+00:00

I clearly stated Application Gateway Ingress. Nonetheless, I gave up on it and have switched to Application gateway for containers as I didn't get any help here. This may not be an option for other customers who may not have switched to Application gateway for containers so a bit disappointed in Azure support. You can close this ticket.
Please sign in to rate this answer.
ChaitanyaNaykodi-MSFT 26,961 Reputation points Microsoft Employee

2025-01-21T16:56:34.4966667+00:00

@Garsha Rostami

Thank you for getting back.

The product team recommends the customers to leverage Application Gateway for Containers (AGC) over AGIC, unless there is a specific feature in AGIC that is not yet available on AGC.

As per my communication with the team

From an AGC perspective, AGC can work with private cluster, however the customer should test/validate with cert-manager and Let's Encrypt. The issuance process with Let's Encrypt requires connectivity to their endpoints on the internet to issue the certificate. The cert-manager will work fine with the private cluster, provided DNS is configured properly.

I understand your question was pertaining to AGIC, but we currently do not have additional information around this and using AGC is the suggested approach here.

Thanks!

Chaitanya
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Support for Lets Encrypt cert auto generation on AKS API Servers with private IP Addresses

1 answer

Your answer