How to add an SSL using Let'sEncrypt for Rasa X on Kubernetes

aidenkoh801 · December 10, 2020, 7:00am

Hi! I have been following the complete guide to deploying your rasa assistant, and I was unable to get the SSL certificate to work. I was able to access Rasa X through the Load Balancer’s external IP address 34.87.xxx.xx:8000 .

After following the instructions as to:

creating an A record with my domain registrar, pointing to Load Balancer’s external IP address.
applying letsencrypt-issuer-production.yml
applying cert-request.yml
updating the ingress in the Helm chart settings (values.yml) and running helm upgrade.

When I visit my domain, the error message ERR_CONNECTION_CLOSED is shown. I have tried other methods as well but have been facing multiple issues as well (trying to configure Nginx reverse proxy to use SSL, using Google-managed certificates)

Any help is greatly appreciated! Thanks!

karen-white · December 10, 2020, 7:01pm

After you apply the domain name in step 1, is Rasa X available at the new URL? Curious whether the error is there before you apply the SSL, or only after all steps have been completed.

aidenkoh801 · December 11, 2020, 4:20pm

Hi Karen! Thanks so much for the reply! Yes, currently the domain name only works with http when I point it to the LoadBalancer’s external IP and Rasa X is available, but it doesn’t work with https.

This is how the log for the nginx pod looks:

PS C:\Users\AidenKoh> kubectl logs rasa-nginx-5785765c89-jcgww  --namespace rasa

←[38;5;6mnginx ←[38;5;5m09:50:38.39 ←[0m

←[38;5;6mnginx ←[38;5;5m09:50:38.41 ←[0m←[1mWelcome to the Bitnami nginx container←[0m

←[38;5;6mnginx ←[38;5;5m09:50:38.42 ←[0mSubscribe to project updates by watching ←[1mhttps://github.com/bitnami/bitnami-docker-nginx←[0m

←[38;5;6mnginx ←[38;5;5m09:50:38.43 ←[0mSubmit issues and feature requests at ←[1mhttps://github.com/bitnami/bitnami-docker-nginx/issues←[0m

←[38;5;6mnginx ←[38;5;5m09:50:38.43 ←[0m

SSL encryption is not used since no certificates were provided.

>>exec docker CMD

/opt/bitnami/scripts/nginx/run.sh

←[38;5;6mnginx ←[38;5;5m09:50:38.54 ←[0m←[38;5;2mINFO ←[0m ==> ** Starting NGINX **

2020/12/11 09:50:38 [notice] 1#1: using the "epoll" event method

2020/12/11 09:50:38 [notice] 1#1: nginx/1.19.4

2020/12/11 09:50:38 [notice] 1#1: built by gcc 8.3.0 (Debian 8.3.0-6)

2020/12/11 09:50:38 [notice] 1#1: OS: Linux 4.19.112+

2020/12/11 09:50:38 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576

2020/12/11 09:50:38 [notice] 1#1: start worker processes

2020/12/11 09:50:38 [notice] 1#1: start worker process 16

and this is how it looks when I run kubectl describe certificates:

PS C:\Users\AidenKoh> kubectl describe certificates --namespace rasa
Name:         letsencrypt-prod
Namespace:    rasa
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1alpha3
Kind:         Certificate
Metadata:
  Creation Timestamp:  2020-12-10T05:47:06Z
  Generation:          1
  Resource Version:    240854
  Self Link:           /apis/cert-manager.io/v1alpha3/namespaces/rasa/certificates/letsencrypt-prod
  UID:                .......
Spec:
  Common Name: .......
  Dns Names:
    .......
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-prod
  Secret Name:  .......
Status:
  Conditions:
    Last Transition Time:  2020-12-10T05:47:06Z
    Message:               Waiting for CertificateRequest "letsencrypt-prod-190842314" to complete
    Reason:                InProgress
    Status:                False
    Type:                  Ready
Events:                    <none>

I’m not sure if its because the certificate request is still in progress. (It’s already been a day).

robynbitner · February 17, 2021, 7:40pm

I am having the same issue. Are there any updates?

aidenkoh801 · February 18, 2021, 5:46am

Hi! Sadly I wasn’t able to get it to work on google cloud, but I have recently shifted to amazon EKS, so would be trying what Will has did soon:

Hope this helps!

armanjindal · February 23, 2021, 8:41am

Hello ! I ran into this error when I was trying to figure to configure SSL on my Kubernetes deployment. Thought I’d share how I dealt with it just in case anyone else is struggling but still want to stick to GCP.

When I tried the certification on my own Kubernetes deployment it didn’t work. This was because I wasn’t able to reroute the traffic from port 80 to 8000. Because the connection between my domain and deployment was not working the SSL certification did not work. I tried changing ports in the ngnix service in the values.yml but couldn’t properly set up a reverse proxy without breaking other stuff!

When I did the one-line deployment and followed this guide on connecting GCloud VM with a Domain Name. Something I did not pick up earlier is that the one-line deployment is a pretty good option because you can configure the values.yml and add whenever you want. Just make sure to export KUBECONFIG=/etc/rancher/k3s/k3s.yaml before helm upgrade --values values.yml --namespace rasa --reuse-values rasa rasa-x/rasa-x after following @karen-white 's really clear blog post!