GitopsCentral

How to setup TLS certs in nginx ingress using certbot

Filed under: Kubernetes — Tags: , , , — shaik zillani @ 1:03 pm

Kubernetes TLS: Secure Your NGINX Ingress Using Certbot and Route 53 (The Easy Way)🔐

Setting up TLS/SSL certificates for your Kubernetes NGINX Ingress is a critical step for securing your web traffic. While the modern, “Kubernetes-native” approach involves using a tool like cert-manager, many administrators who manage legacy setups or prefer familiar tools like Certbot often wonder how to combine the two.

Here’s a step-by-step guide on how to use Certbot to obtain certificates and then integrate them with your NGINX Ingress Controller using a Kubernetes Secret.

While cert-manager is the Kubernetes standard for certificate automation, sometimes you need to use familiar tools like Certbot—especially when leveraging the DNS Challenge with your domain registered on AWS Route 53.

This guide demonstrates how to use Certbot to acquire a free, 90-day certificate from Let’s Encrypt and then securely provision it to your NGINX Ingress Controller for TLS termination. This approach uses the DNS challenge, making it ideal for securing wildcard domains and maintaining a strict, secure workflow.

Here are the three high-level steps to terminate TLS traffic at your NGINX Ingress using a certificate obtained from Route 53:

Step Action Kubernetes Component Involved
1. Obtain the Cert Run Certbot using the --dns-route53 plugin to validate domain ownership. (External Tool)
2. Create the TLS Secret Package the certificate and private key into a secure Kubernetes Secret. Secret
3. Configure Ingress Point the NGINX Ingress resource to the new Secret to handle HTTPS traffic. Ingress

Pre-requisites

These are some pre-requisites you need to install,

  • python 3.x
  • certbot
  • certbot-dns-route53

You can install certbot using python pip installer,

The procedure is same for Mac, Windows or Linux

pip install certbot
pip install certbot-dns-route53

Now, let’s try to create new certificate,

Create certificate using certbot

certbot certonly -d foo.bar.com --dns-route53 --logs-dir letsencrypt/log/ --config-dir letsencrypt/config/ --work-dir letsencrypt/work/ -m shaikzillani@gmail.com --agree-tos --non-interactive --server https://acme-v02.api.letsencrypt.org/directory

Replace foo.bar.com with your domain and use your email in the above command

Install the certificate as secret on k8s

kubectl create secret tls foo.bar.com-tls --cert=./fullchain.pem --key=./privkey.pem -n test-namespace

This will create certs under letsencrypt directory, navigate to that directory where certs are created and execute this command above.

Update helm chart deployment with TLS secret

    tls:
      - secretName: foo.bar.com-tls
        hosts:
          - foo.bar.com

If you visit your website over https On your browser, the SSL connection should be established successfully.

© 2016–2025 GitOpsCentral | All Rights Reserved.