How to add an SSL using Let'sEncrypt for Rasa X on Kubernetes

Hi! I have been following the complete guide to deploying your rasa assistant, and I was unable to get the SSL certificate to work. I was able to access Rasa X through the Load Balancer’s external IP address .

After following the instructions as to:

  1. creating an A record with my domain registrar, pointing to Load Balancer’s external IP address.
  2. applying letsencrypt-issuer-production.yml
  3. applying cert-request.yml
  4. updating the ingress in the Helm chart settings (values.yml) and running helm upgrade.

When I visit my domain, the error message ERR_CONNECTION_CLOSED is shown. I have tried other methods as well but have been facing multiple issues as well (trying to configure Nginx reverse proxy to use SSL, using Google-managed certificates)

Any help is greatly appreciated! Thanks!

After you apply the domain name in step 1, is Rasa X available at the new URL? Curious whether the error is there before you apply the SSL, or only after all steps have been completed.

Hi Karen! Thanks so much for the reply! Yes, currently the domain name only works with http when I point it to the LoadBalancer’s external IP and Rasa X is available, but it doesn’t work with https.

This is how the log for the nginx pod looks:

PS C:\Users\AidenKoh> kubectl logs rasa-nginx-5785765c89-jcgww  --namespace rasa

←[38;5;6mnginx ←[38;5;5m09:50:38.39 ←[0m

←[38;5;6mnginx ←[38;5;5m09:50:38.41 ←[0m←[1mWelcome to the Bitnami nginx container←[0m

←[38;5;6mnginx ←[38;5;5m09:50:38.42 ←[0mSubscribe to project updates by watching ←[1m←[0m

←[38;5;6mnginx ←[38;5;5m09:50:38.43 ←[0mSubmit issues and feature requests at ←[1m←[0m

←[38;5;6mnginx ←[38;5;5m09:50:38.43 ←[0m

SSL encryption is not used since no certificates were provided.

>>exec docker CMD


←[38;5;6mnginx ←[38;5;5m09:50:38.54 ←[0m←[38;5;2mINFO ←[0m ==> ** Starting NGINX **

2020/12/11 09:50:38 [notice] 1#1: using the "epoll" event method

2020/12/11 09:50:38 [notice] 1#1: nginx/1.19.4

2020/12/11 09:50:38 [notice] 1#1: built by gcc 8.3.0 (Debian 8.3.0-6)

2020/12/11 09:50:38 [notice] 1#1: OS: Linux 4.19.112+

2020/12/11 09:50:38 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576

2020/12/11 09:50:38 [notice] 1#1: start worker processes

2020/12/11 09:50:38 [notice] 1#1: start worker process 16

and this is how it looks when I run kubectl describe certificates:

PS C:\Users\AidenKoh> kubectl describe certificates --namespace rasa
Name:         letsencrypt-prod
Namespace:    rasa
Labels:       <none>
Annotations:  <none>
API Version:
Kind:         Certificate
  Creation Timestamp:  2020-12-10T05:47:06Z
  Generation:          1
  Resource Version:    240854
  Self Link:           /apis/
  UID:                .......
  Common Name: .......
  Dns Names:
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-prod
  Secret Name:  .......
    Last Transition Time:  2020-12-10T05:47:06Z
    Message:               Waiting for CertificateRequest "letsencrypt-prod-190842314" to complete
    Reason:                InProgress
    Status:                False
    Type:                  Ready
Events:                    <none>

I’m not sure if its because the certificate request is still in progress. (It’s already been a day).

I am having the same issue. Are there any updates?

Hi! Sadly I wasn’t able to get it to work on google cloud, but I have recently shifted to amazon EKS, so would be trying what Will has did soon:

Hope this helps!

Hello :smiley: ! I ran into this error when I was trying to figure to configure SSL on my Kubernetes deployment. Thought I’d share how I dealt with it just in case anyone else is struggling but still want to stick to GCP.

When I tried the certification on my own Kubernetes deployment it didn’t work. This was because I wasn’t able to reroute the traffic from port 80 to 8000. Because the connection between my domain and deployment was not working the SSL certification did not work. I tried changing ports in the ngnix service in the values.yml but couldn’t properly set up a reverse proxy without breaking other stuff!

When I did the one-line deployment and followed this guide on connecting GCloud VM with a Domain Name. Something I did not pick up earlier is that the one-line deployment is a pretty good option because you can configure the values.yml and add whenever you want. Just make sure to export KUBECONFIG=/etc/rancher/k3s/k3s.yaml before helm upgrade --values values.yml --namespace rasa --reuse-values rasa rasa-x/rasa-x after following @karen-white 's really clear blog post!

1 Like