Configure ACME SSL Certificates in Kubernetes with SeFlowSSL CaaS (Sectigo ACME)
SeFlowSSL CaaS (Sectigo ACME) enables fully automated SSL/TLS certificate lifecycle management within Kubernetes environments. The recommended approach is to use an ACME client integrated with Kubernetes to automatically request, install, and renew certificates.
This guide provides an overview of the recommended methods and components for integrating SeFlowSSL CaaS with Kubernetes.
The Basics
- Certificates and private keys are typically stored as Kubernetes Secrets.
- SSL termination is usually handled by the Ingress Controller.
- Popular options include NGINX Ingress Controller and Traefik.
- In some deployments, SSL termination may occur outside the cluster through a Load Balancer.
Before proceeding, ensure that you have the EAB credentials provided by SeFlowSSL CaaS, which are required for authentication with the Sectigo certificate authority.
Choose an ACME Client for Kubernetes
The most widely used ACME client in Kubernetes environments is cert-manager, an open source solution designed specifically for certificate lifecycle automation.
Official documentation:
If you are using Traefik as your Ingress Controller, native ACME support is available:
https://doc.traefik.io/traefik/https/acme/
Configure cert-manager with SeFlowSSL CaaS
For Kubernetes environments, cert-manager is the recommended solution for managing certificates issued through SeFlowSSL CaaS.
The complete configuration tutorial is available in the official documentation:
Configure cert-manager and ACME with Kubernetes
The guide covers:
- cert-manager installation.
- Issuer and ClusterIssuer configuration.
- EAB credential configuration.
- Automated certificate issuance.
- Automatic certificate renewal.
- Kubernetes Ingress integration.
Best Practices
- Use a centralized ClusterIssuer for multi namespace environments.
- Store EAB credentials securely using Kubernetes Secrets.
- Monitor cert-manager events.
- Regularly verify automatic renewals.
- Restrict access to Secrets containing private keys.
Troubleshooting
If certificate validation or issuance fails:
- Verify domain reachability.
- Check Ingress configuration.
- Verify EAB credentials.
- Review Kubernetes events using kubectl.
- Inspect cert-manager logs.
Need Help?
For assistance with Kubernetes and SeFlowSSL CaaS deployments, contact the SeFlow support team:
