bg-tutorials

How to Install an ACME SSL Certificate in Kubernetes

Installing an ACME SSL certificate in Kubernetes is now a standardized and flexible process thanks to mature tooling like cert-manager and broad support from commercial CAs. Whether you’re running production workloads behind NGINX Ingress, Traefik, or another gateway, you can automate secure HTTPS with full control.

Install ACME SSL on Kubernetes

This guide will show you how to install an ACME SSL certificate in Kubernetes using cert-manager. We’ll cover installation, setting up an issuer with External Account Binding (EAB), and issuing certificates to protect your ingress services.


What You’ll Need

Before diving in, make sure:

  • You have a working Kubernetes cluster (v1.23+ recommended)
  • kubectl is configured and working
  • You have access to your ingress controller (e.g., NGINX, Traefik)
  • Your domain points to your ingress controller’s public IP
  • You have EAB credentials from your ACME-compatible CA:
    • ACME Directory URL (e.g. https://acme.example.com/v2/DV)
    • EAB Key Identifier (KID)
    • EAB HMAC Key

Note: https://acme.example.com/v2/DV is used throughout this guide as a placeholder ACME directory URL. Replace it with the real endpoint from your certificate authority.


Step 1 – Install cert-manager

cert-manager is the most widely used Kubernetes-native ACME client. It runs as a controller that manages certificate issuance and renewal.

Install via Helm (preferred for production):

kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v1.14.4 \
  --set installCRDs=true

Wait a few seconds and confirm all pods are running:

kubectl get pods -n cert-manager

You should see three pods: cert-manager, cert-manager-webhook, and cert-manager-cainjector.


Step 2 – Create a Kubernetes Secret for EAB Credentials

Create a Kubernetes secret to store your EAB key securely:

kubectl create secret generic acme-eab-secret \
--namespace cert-manager \
--from-literal=eab-kid="YOUR_EAB_KID" \
--from-literal=eab-hmac-key="YOUR_EAB_HMAC_KEY"

Substitute with your actual credentials. Avoid copy-paste whitespace.


Step 3 – Define a ClusterIssuer or Issuer

Now, create a ClusterIssuer (for all namespaces) or Issuer (single namespace) resource that connects cert-manager to your ACME CA using the EAB credentials.

Here’s a sample ClusterIssuer YAML:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: acme-issuer
spec:
acme:
server: https://your.acme-server.com/v2/DV
email: [email protected]
privateKeySecretRef:
name: acme-private-key
externalAccountBinding:
keyID: YOUR_EAB_KID
keySecretRef:
name: acme-eab-secret
key: eab-hmac-key
solvers:
- http01:
ingress:
class: nginx

Apply it:

kubectl apply -f clusterissuer.yaml

Replace ingress.class: nginx with traefik, nginx-internal, or whatever your ingress class is. You can find this in your ingress controller documentation.


Step 4 – Create a Certificate Resource

Once your ClusterIssuer is ready, create a Certificate resource that tells cert-manager which domain to secure. Here’s an example:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-ssl-cert
namespace: default
spec:
secretName: my-ssl-cert-tls
  issuerRef:
name: acme-issuer
    kind: ClusterIssuer
  commonName: yourdomain.com
  dnsNames:
  - yourdomain.com
  - www.yourdomain.com

Apply it:

kubectl apply -f certificate.yaml

cert-manager will use the issuer, solve the challenge via ingress, and store the issued cert as a Kubernetes TLS secret.


Step 5 – Reference the Certificate in Your Ingress

Update your ingress rule to use the generated certificate:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
namespace: default
annotations:
cert-manager.io/cluster-issuer: acme-issuer
spec:
tls:
- hosts:
- yourdomain.com
- www.yourdomain.com
secretName: my-ssl-cert-tls
rules:
- host: yourdomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: your-service
port:
number: 80

Apply it:

kubectl apply -f ingress.yaml

Once cert-manager detects the annotation, it will start solving the ACME challenge and issue your cert.


Step 6 – Verify Certificate and Auto-Renewal

To verify everything worked:

kubectl describe certificate my-ssl-cert

Look for the Certificate issued successfully.

To check the renewal setup, run:

kubectl get certificaterequests

cert-manager handles renewal automatically ~30 days before expiration. You can simulate a renewal like this:

kubectl cert-manager renew my-ssl-cert


Common Questions

Setting up ACME SSL in Kubernetes can feel a bit abstract, especially when juggling ingress controllers, Secrets, and DNS records. Below, we answer some common questions developers face when installing ACME certificates in a Kubernetes environment, whether you’re using cert-manager or an alternative setup.

Can I use DNS-01 instead of HTTP-01?

Yes, cert-manager supports DNS validation with providers like Cloudflare, AWS, and Google Cloud DNS. Use it if you don’t expose port 80.

Is cert-manager production-ready?

Absolutely. It powers SSL for large Kubernetes clusters across enterprises and public clouds.

Can I use a wildcard certificate with ACME in Kubernetes?

Yes, but wildcard certificates require DNS-01 validation, which involves updating DNS records instead of using HTTP challenges. Confirm your DNS provider supports automation (via API), and configure the dns01 solver accordingly in your cert-manager setup.

Final Words

You now know how to install an ACME SSL certificate in Kubernetes using cert-manager and an ACME-compatible certificate authority. This setup is fully automated and scalable for modern Kubernetes environments. You get secure HTTPS, auto-renewal, and seamless integration with Ingress, all without leaving your cluster.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.