Open in app

Sign in

Write

Sign in

Better Programming

Advice for programmers.

Follow publication

Member-only story

Use Let’s Encrypt to Automate HTTPS for Your Kubernetes Cluster on Raspberry Pi

Jonathan Scott
Better Programming
Published in
8 min readJan 8, 2021
Raspberry Pi logo with lock next to it
Photo by the author.

Automatic certificate generation sounds too corporate and thus out of reach for the weekend warrior who hosts content on a Kubernetes cluster running on Raspberry Pis. Fortunately, automatic certificate generation is remarkably attainable thanks to Let’s Encrypt. Best of all, anyone who owns a domain name can use Let’s Encrypt to obtain a certificate at no cost.

This guide will use Let’s Encrypt to automatically provision certificates for Ingress resources such that your applications will be accessible over HTTPS from the internet.

Prerequisites

  1. A Raspberry Pi cluster.
  2. K3s running on the Raspberry Pi cluster.
  3. Traefik as a provider for Kubernetes Ingress.
  4. A domain name. You can create a domain at godaddy.com.

How Let’s Encrypt Works

Let’s Encrypt is a Certificate Authority (CA) that implements the ACME Protocol such that an HTTPS server can be configured without any human intervention. We will configure an HTTPS server for the domain https://cloud-tack.com, but you should replace this domain with yours at each step. More specifically, the HTTPS server in this guide is a Traefik Ingress Controller that runs as a container within K3s on Raspberry Pis.

There are two steps to certificate issuance. The first step is that an agent who intends to request a certificate must prove to the CA that it owns the domain for which the certificate will be issued. This process is called Domain Validation. Only once the agent proves this can it request, renew, and revoke the certificate. The agent in the context of this guide is a cert-manager application deployed within the cert-manager namespace (more on this in the following sections).

The agent initiates the process by asking the CA how it can prove ownership of the domain for which the certificate will be issued (e.g. cloud-tack.com). The CA responds with a set of challenges and the agent must complete one of the challenges in order to prove…

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Continue in app
Or, continue in mobile web

Already have an account? Sign in

Better Programming
Better Programming

Published in Better Programming

221K Followers
Last published Nov 10, 2023

Advice for programmers.

Jonathan Scott
Jonathan Scott

Written by Jonathan Scott

156 Followers
123 Following

Software Engineer | https://www.linkedin.com/in/jona-scott

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech