From 66433ff0b173caafd1640a26255717e5dca9c1d3 Mon Sep 17 00:00:00 2001 From: Roger Oriol Date: Tue, 23 Jun 2026 11:46:38 +0200 Subject: [PATCH] fix tls: use letsencrypt-prod cluster-issuer for jellyfin/n8n/qbittorrent/myorg/phoenix/fava The ingresses referenced a Cloudflare OriginIssuer 'prod-issuer' whose CRD and controller are not installed in the cluster, so cert-manager could not issue certs and Traefik served a default cert (invalid SSL). Switch to the existing letsencrypt-prod ClusterIssuer with specific hostnames + per-app secrets, matching the working ingresses (http-01 cannot issue wildcards). --- fava/ingress.yaml | 4 +--- jellyfin/ingress.yaml | 8 +++----- myorg-assistant/ingress.yaml | 8 +++----- n8n/ingress.yaml | 8 +++----- phoenix/ingress.yaml | 8 +++----- qbittorrent/ingress.yaml | 8 +++----- 6 files changed, 16 insertions(+), 28 deletions(-) diff --git a/fava/ingress.yaml b/fava/ingress.yaml index b5f498b..9afc57c 100644 --- a/fava/ingress.yaml +++ b/fava/ingress.yaml @@ -7,9 +7,7 @@ metadata: annotations: kubernetes.io/ingress.class: "traefik" traefik.ingress.kubernetes.io/redirect-entry-point: https - cert-manager.io/issuer: prod-issuer - cert-manager.io/issuer-kind: OriginIssuer - cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com + cert-manager.io/cluster-issuer: letsencrypt-prod spec: tls: - hosts: diff --git a/jellyfin/ingress.yaml b/jellyfin/ingress.yaml index 7c501ac..7f1da3e 100644 --- a/jellyfin/ingress.yaml +++ b/jellyfin/ingress.yaml @@ -7,14 +7,12 @@ metadata: kubernetes.io/ingress.class: "traefik" traefik.ingress.kubernetes.io/redirect-entry-point: https traefik.ingress.kubernetes.io/compress: "true" - cert-manager.io/issuer: prod-issuer - cert-manager.io/issuer-kind: OriginIssuer - cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com + cert-manager.io/cluster-issuer: letsencrypt-prod spec: tls: - hosts: - - "*.rogi.casa" - secretName: rogicasa-tls + - jellyfin.rogi.casa + secretName: jellyfin-tls rules: - host: jellyfin.rogi.casa http: diff --git a/myorg-assistant/ingress.yaml b/myorg-assistant/ingress.yaml index f51b52a..52106b8 100644 --- a/myorg-assistant/ingress.yaml +++ b/myorg-assistant/ingress.yaml @@ -10,14 +10,12 @@ metadata: traefik.ingress.kubernetes.io/redirect-entry-point: https # Optional: enable compression traefik.ingress.kubernetes.io/compress: "true" - cert-manager.io/issuer: prod-issuer - cert-manager.io/issuer-kind: OriginIssuer - cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com + cert-manager.io/cluster-issuer: letsencrypt-prod spec: tls: - hosts: - - "*.rogi.casa" - secretName: rogicasa-tls + - myorg.rogi.casa + secretName: myorg-tls rules: - host: myorg.rogi.casa http: diff --git a/n8n/ingress.yaml b/n8n/ingress.yaml index a8afdc1..1509af8 100644 --- a/n8n/ingress.yaml +++ b/n8n/ingress.yaml @@ -10,14 +10,12 @@ metadata: traefik.ingress.kubernetes.io/redirect-entry-point: https # Optional: enable compression traefik.ingress.kubernetes.io/compress: "true" - cert-manager.io/issuer: prod-issuer - cert-manager.io/issuer-kind: OriginIssuer - cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com + cert-manager.io/cluster-issuer: letsencrypt-prod spec: tls: - hosts: - - "*.rogi.casa" - secretName: rogicasa-tls + - n8n.rogi.casa + secretName: n8n-tls rules: - host: n8n.rogi.casa http: diff --git a/phoenix/ingress.yaml b/phoenix/ingress.yaml index 4952ad1..b29b417 100644 --- a/phoenix/ingress.yaml +++ b/phoenix/ingress.yaml @@ -10,14 +10,12 @@ metadata: traefik.ingress.kubernetes.io/redirect-entry-point: https # Optional: enable compression traefik.ingress.kubernetes.io/compress: "true" - cert-manager.io/issuer: prod-issuer - cert-manager.io/issuer-kind: OriginIssuer - cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com + cert-manager.io/cluster-issuer: letsencrypt-prod spec: tls: - hosts: - - "*.rogi.casa" - secretName: rogicasa-tls + - phoenix.rogi.casa + secretName: phoenix-tls rules: - host: phoenix.rogi.casa http: diff --git a/qbittorrent/ingress.yaml b/qbittorrent/ingress.yaml index 4587e43..40b9fed 100644 --- a/qbittorrent/ingress.yaml +++ b/qbittorrent/ingress.yaml @@ -7,14 +7,12 @@ metadata: kubernetes.io/ingress.class: "traefik" traefik.ingress.kubernetes.io/redirect-entry-point: https traefik.ingress.kubernetes.io/compress: "true" - cert-manager.io/issuer: prod-issuer - cert-manager.io/issuer-kind: OriginIssuer - cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com + cert-manager.io/cluster-issuer: letsencrypt-prod spec: tls: - hosts: - - "*.rogi.casa" - secretName: rogicasa-tls + - qbittorrent.rogi.casa + secretName: qbittorrent-tls rules: - host: qbittorrent.rogi.casa http: