Access to DuckDNS console and obtain the token.

Create a file with the following format duckdns.ini:

dns_duckdns_token=AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE

Run the following command to obtain a new certificate for Duckdns:

docker run -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/log/letsencrypt:/var/log/letsencrypt" infinityofspace/certbot_dns_duckdns:latest \
   certonly \
     --non-interactive \
     --agree-tos \
     --email [email protected] \
     --preferred-challenges dns \
     --authenticator dns-duckdns \
     --dns-duckdns-token <duckdns_token> \
     --dns-duckdns-propagation-seconds 60 \
     -d "*.calfolguera.duckdns.org"

The Duckdns token will be needed in order to configure the certificate. Obtain it from the duckdns home page.

Create a new secret in k8s with the following command:

kubectl create secret tls default-server-secret --key privkey.pem --cert fullchain.pem -n ingress-nginx

Ensure the ingress-nginx deployment has the --default-ssl-certificate parameter correctly set:

kubectl edit deployment.apps/ingress-nginx-controller -n ingress-nginx

If needed, add the following line under the args section:

- --default-ssl-certificate=ingress-nginx/default-server-secret

To force all connections using SSL certificate edit the configmap:

kubectl edit configmap ingress-nginx-controller -n ingress-nginx

Add the following line under data:

force-ssl-redirect: "true"

Again, edit the configmap and add the following line under data:

hsts: "false"

If your certificates has expired, you can easily renew them executing the following command:

./renew_certs.sh

Remember to edit the script and adapt the variables to your environment.

You can also automate your certificate renewal adding the previous script to cron crontab -e:

0 0 1 * * /root/certbot/renew_certs.sh