[{"data":1,"prerenderedAt":1652},["ShallowReactive",2],{"blog-ja-cert-manager-automatic-tls":3,"blog-ja-cert-manager-automatic-tls-alt":194},{"id":4,"title":5,"author":6,"body":7,"date":1636,"description":1637,"extension":1638,"image":146,"locale":1639,"meta":1640,"navigation":194,"path":1641,"seo":1642,"stem":1643,"tags":1644,"__hash__":1651},"blog\u002Fblog\u002Fja\u002Fcert-manager-automatic-tls.md","cert-manager で Kubernetes の TLS 証明書を自動管理する","Kubo Team",{"type":8,"value":9,"toc":1610},"minimark",[10,28,33,46,50,53,82,86,93,125,133,136,140,263,266,317,321,329,466,469,577,583,587,600,604,641,662,666,729,744,752,755,788,792,801,804,1009,1015,1019,1022,1155,1158,1170,1293,1299,1302,1305,1319,1439,1442,1520,1523,1546,1549,1552,1583,1593,1606],[11,12,13,14,21,22,27],"p",{},"Kubernetes 環境でサービスを公開する際、TLS 証明書の管理は避けて通れない課題です。手動での証明書発行・更新は、運用負荷の増大と期限切れによる障害リスクを招きます。CNCF Graduated プロジェクトである ",[15,16,20],"a",{"href":17,"rel":18},"https:\u002F\u002Fcert-manager.io\u002F",[19],"nofollow","cert-manager"," は、TLS 証明書のライフサイクルを完全に自動化し、この課題を根本的に解決します。",[15,23,26],{"href":24,"rel":25},"https:\u002F\u002Fkubo.hexabase.io\u002F",[19],"Kubo"," のような K3s ベースの Kubernetes プラットフォームでは、cert-manager の導入によりゼロタッチの証明書管理が実現できます。",[29,30,32],"h2",{"id":31},"cert-manager-の基本概念とアーキテクチャ","cert-manager の基本概念とアーキテクチャ",[11,34,35,39,40,45],{},[15,36,20],{"href":37,"rel":38},"https:\u002F\u002Fcert-manager.io\u002Fdocs\u002F",[19]," は、Kubernetes および OpenShift クラスタ上で TLS 証明書の発行と更新を自動化するアドオンです。",[15,41,44],{"href":42,"rel":43},"https:\u002F\u002Fgithub.com\u002Fcert-manager\u002Fcert-manager",[19],"GitHub リポジトリ","で活発に開発が続けられており、クラウドネイティブ環境における証明書管理のデファクトスタンダードとなっています。",[47,48,49],"h3",{"id":49},"主要コンポーネント",[11,51,52],{},"cert-manager は以下のコンポーネントで構成されます：",[54,55,56,64,70,76],"ul",{},[57,58,59,63],"li",{},[60,61,62],"strong",{},"Controller",": Certificate リソースの状態を監視し、証明書の発行・更新を実行",[57,65,66,69],{},[60,67,68],{},"Webhook",": CRD のバリデーションと Admission Control を担当",[57,71,72,75],{},[60,73,74],{},"CA Injector",": Webhook やカスタムリソースに CA バンドルを自動注入",[57,77,78,81],{},[60,79,80],{},"ACME Solver",": Let's Encrypt 等の ACME プロバイダーとのチャレンジ処理を実行",[47,83,85],{"id":84},"サポートする発行元issuer","サポートする発行元（Issuer）",[11,87,88,92],{},[15,89,91],{"href":37,"rel":90},[19],"cert-manager のドキュメント","によると、以下の認証局に対応しています：",[54,94,95,101,107,113,119],{},[57,96,97,100],{},[60,98,99],{},"Let's Encrypt"," (ACME プロトコル): 無料の TLS 証明書を自動発行",[57,102,103,106],{},[60,104,105],{},"HashiCorp Vault",": エンタープライズ PKI との連携",[57,108,109,112],{},[60,110,111],{},"CyberArk Certificate Manager",": 企業向け証明書管理",[57,114,115,118],{},[60,116,117],{},"プライベート PKI",": 自社認証局による証明書発行",[57,120,121,124],{},[60,122,123],{},"Self-signed",": テスト環境向けの自己署名証明書",[11,126,127,132],{},[15,128,131],{"href":129,"rel":130},"https:\u002F\u002Fwww.hexabase.com\u002Fproduct\u002Fcaptain-ai\u002F",[19],"Captain.AI"," は Kubernetes 環境全体のセキュリティ状態を AI で監視し、証明書の期限切れリスクを事前に検知する運用支援を提供します。",[29,134,135],{"id":135},"インストールと初期設定",[47,137,139],{"id":138},"helm-によるインストール","Helm によるインストール",[141,142,147],"pre",{"className":143,"code":144,"language":145,"meta":146,"style":146},"language-bash shiki shiki-themes tokyo-night","# cert-manager の Helm リポジトリを追加\nhelm repo add jetstack https:\u002F\u002Fcharts.jetstack.io\nhelm repo update\n\n# CRD を含めてインストール\nhelm install cert-manager jetstack\u002Fcert-manager \\\n  --namespace cert-manager \\\n  --create-namespace \\\n  --version v1.18.1 \\\n  --set crds.enabled=true\n","bash","",[148,149,150,159,179,189,196,202,220,231,239,250],"code",{"__ignoreMap":146},[151,152,155],"span",{"class":153,"line":154},"line",1,[151,156,158],{"class":157},"sbD-w","# cert-manager の Helm リポジトリを追加\n",[151,160,162,166,170,173,176],{"class":153,"line":161},2,[151,163,165],{"class":164},"sE3pS","helm",[151,167,169],{"class":168},"sPY7s"," repo",[151,171,172],{"class":168}," add",[151,174,175],{"class":168}," jetstack",[151,177,178],{"class":168}," https:\u002F\u002Fcharts.jetstack.io\n",[151,180,182,184,186],{"class":153,"line":181},3,[151,183,165],{"class":164},[151,185,169],{"class":168},[151,187,188],{"class":168}," update\n",[151,190,192],{"class":153,"line":191},4,[151,193,195],{"emptyLinePlaceholder":194},true,"\n",[151,197,199],{"class":153,"line":198},5,[151,200,201],{"class":157},"# CRD を含めてインストール\n",[151,203,205,207,210,213,216],{"class":153,"line":204},6,[151,206,165],{"class":164},[151,208,209],{"class":168}," install",[151,211,212],{"class":168}," cert-manager",[151,214,215],{"class":168}," jetstack\u002Fcert-manager",[151,217,219],{"class":218},"sAklC"," \\\n",[151,221,223,227,229],{"class":153,"line":222},7,[151,224,226],{"class":225},"sT800","  --namespace",[151,228,212],{"class":168},[151,230,219],{"class":218},[151,232,234,237],{"class":153,"line":233},8,[151,235,236],{"class":225},"  --create-namespace",[151,238,219],{"class":218},[151,240,242,245,248],{"class":153,"line":241},9,[151,243,244],{"class":225},"  --version",[151,246,247],{"class":168}," v1.18.1",[151,249,219],{"class":218},[151,251,253,256,259],{"class":153,"line":252},10,[151,254,255],{"class":225},"  --set",[151,257,258],{"class":168}," crds.enabled=",[151,260,262],{"class":261},"sOJ5S","true\n",[47,264,265],{"id":265},"インストールの確認",[141,267,269],{"className":143,"code":268,"language":145,"meta":146,"style":146},"# Pod の状態を確認\nkubectl get pods -n cert-manager\n\n# 出力例:\n# cert-manager-5c6866597-zw7kh          1\u002F1     Running   0\n# cert-manager-cainjector-577f6d9fd7-b   1\u002F1     Running   0\n# cert-manager-webhook-56f8b4f8d-hsqvg   1\u002F1     Running   0\n",[148,270,271,276,293,297,302,307,312],{"__ignoreMap":146},[151,272,273],{"class":153,"line":154},[151,274,275],{"class":157},"# Pod の状態を確認\n",[151,277,278,281,284,287,290],{"class":153,"line":161},[151,279,280],{"class":164},"kubectl",[151,282,283],{"class":168}," get",[151,285,286],{"class":168}," pods",[151,288,289],{"class":225}," -n",[151,291,292],{"class":168}," cert-manager\n",[151,294,295],{"class":153,"line":181},[151,296,195],{"emptyLinePlaceholder":194},[151,298,299],{"class":153,"line":191},[151,300,301],{"class":157},"# 出力例:\n",[151,303,304],{"class":153,"line":198},[151,305,306],{"class":157},"# cert-manager-5c6866597-zw7kh          1\u002F1     Running   0\n",[151,308,309],{"class":153,"line":204},[151,310,311],{"class":157},"# cert-manager-cainjector-577f6d9fd7-b   1\u002F1     Running   0\n",[151,313,314],{"class":153,"line":222},[151,315,316],{"class":157},"# cert-manager-webhook-56f8b4f8d-hsqvg   1\u002F1     Running   0\n",[47,318,320],{"id":319},"clusterissuer-の作成","ClusterIssuer の作成",[11,322,323,328],{},[15,324,327],{"href":325,"rel":326},"https:\u002F\u002Fwww.funkysi1701.com\u002Fposts\u002F2025\u002Fkubernetes-and-letsencrypt\u002F",[19],"Funky Si's Blog の実践ガイド","を参考に、Let's Encrypt 用の ClusterIssuer を設定します：",[141,330,334],{"className":331,"code":332,"language":333,"meta":146,"style":146},"language-yaml shiki shiki-themes tokyo-night","apiVersion: cert-manager.io\u002Fv1\nkind: ClusterIssuer\nmetadata:\n  name: letsencrypt-prod\nspec:\n  acme:\n    server: https:\u002F\u002Facme-v02.api.letsencrypt.org\u002Fdirectory\n    email: admin@example.com\n    privateKeySecretRef:\n      name: letsencrypt-prod-key\n    solvers:\n    - http01:\n        ingress:\n          class: nginx\n","yaml",[148,335,336,348,358,366,376,383,390,400,410,417,427,435,447,455],{"__ignoreMap":146},[151,337,338,342,345],{"class":153,"line":154},[151,339,341],{"class":340},"s0U2E","apiVersion",[151,343,344],{"class":218},":",[151,346,347],{"class":168}," cert-manager.io\u002Fv1\n",[151,349,350,353,355],{"class":153,"line":161},[151,351,352],{"class":340},"kind",[151,354,344],{"class":218},[151,356,357],{"class":168}," ClusterIssuer\n",[151,359,360,363],{"class":153,"line":181},[151,361,362],{"class":340},"metadata",[151,364,365],{"class":218},":\n",[151,367,368,371,373],{"class":153,"line":191},[151,369,370],{"class":340},"  name",[151,372,344],{"class":218},[151,374,375],{"class":168}," letsencrypt-prod\n",[151,377,378,381],{"class":153,"line":198},[151,379,380],{"class":340},"spec",[151,382,365],{"class":218},[151,384,385,388],{"class":153,"line":204},[151,386,387],{"class":340},"  acme",[151,389,365],{"class":218},[151,391,392,395,397],{"class":153,"line":222},[151,393,394],{"class":340},"    server",[151,396,344],{"class":218},[151,398,399],{"class":168}," https:\u002F\u002Facme-v02.api.letsencrypt.org\u002Fdirectory\n",[151,401,402,405,407],{"class":153,"line":233},[151,403,404],{"class":340},"    email",[151,406,344],{"class":218},[151,408,409],{"class":168}," admin@example.com\n",[151,411,412,415],{"class":153,"line":241},[151,413,414],{"class":340},"    privateKeySecretRef",[151,416,365],{"class":218},[151,418,419,422,424],{"class":153,"line":252},[151,420,421],{"class":340},"      name",[151,423,344],{"class":218},[151,425,426],{"class":168}," letsencrypt-prod-key\n",[151,428,430,433],{"class":153,"line":429},11,[151,431,432],{"class":340},"    solvers",[151,434,365],{"class":218},[151,436,438,442,445],{"class":153,"line":437},12,[151,439,441],{"class":440},"sgJMe","    -",[151,443,444],{"class":340}," http01",[151,446,365],{"class":218},[151,448,450,453],{"class":153,"line":449},13,[151,451,452],{"class":340},"        ingress",[151,454,365],{"class":218},[151,456,458,461,463],{"class":153,"line":457},14,[151,459,460],{"class":340},"          class",[151,462,344],{"class":218},[151,464,465],{"class":168}," nginx\n",[11,467,468],{},"ステージング環境でのテスト用 Issuer も用意しておくことを推奨します：",[141,470,472],{"className":331,"code":471,"language":333,"meta":146,"style":146},"apiVersion: cert-manager.io\u002Fv1\nkind: ClusterIssuer\nmetadata:\n  name: letsencrypt-staging\nspec:\n  acme:\n    server: https:\u002F\u002Facme-staging-v02.api.letsencrypt.org\u002Fdirectory\n    email: admin@example.com\n    privateKeySecretRef:\n      name: letsencrypt-staging-key\n    solvers:\n    - http01:\n        ingress:\n          class: nginx\n",[148,473,474,482,490,496,505,511,517,526,534,540,549,555,563,569],{"__ignoreMap":146},[151,475,476,478,480],{"class":153,"line":154},[151,477,341],{"class":340},[151,479,344],{"class":218},[151,481,347],{"class":168},[151,483,484,486,488],{"class":153,"line":161},[151,485,352],{"class":340},[151,487,344],{"class":218},[151,489,357],{"class":168},[151,491,492,494],{"class":153,"line":181},[151,493,362],{"class":340},[151,495,365],{"class":218},[151,497,498,500,502],{"class":153,"line":191},[151,499,370],{"class":340},[151,501,344],{"class":218},[151,503,504],{"class":168}," letsencrypt-staging\n",[151,506,507,509],{"class":153,"line":198},[151,508,380],{"class":340},[151,510,365],{"class":218},[151,512,513,515],{"class":153,"line":204},[151,514,387],{"class":340},[151,516,365],{"class":218},[151,518,519,521,523],{"class":153,"line":222},[151,520,394],{"class":340},[151,522,344],{"class":218},[151,524,525],{"class":168}," https:\u002F\u002Facme-staging-v02.api.letsencrypt.org\u002Fdirectory\n",[151,527,528,530,532],{"class":153,"line":233},[151,529,404],{"class":340},[151,531,344],{"class":218},[151,533,409],{"class":168},[151,535,536,538],{"class":153,"line":241},[151,537,414],{"class":340},[151,539,365],{"class":218},[151,541,542,544,546],{"class":153,"line":252},[151,543,421],{"class":340},[151,545,344],{"class":218},[151,547,548],{"class":168}," letsencrypt-staging-key\n",[151,550,551,553],{"class":153,"line":429},[151,552,432],{"class":340},[151,554,365],{"class":218},[151,556,557,559,561],{"class":153,"line":437},[151,558,441],{"class":440},[151,560,444],{"class":340},[151,562,365],{"class":218},[151,564,565,567],{"class":153,"line":449},[151,566,452],{"class":340},[151,568,365],{"class":218},[151,570,571,573,575],{"class":153,"line":457},[151,572,460],{"class":340},[151,574,344],{"class":218},[151,576,465],{"class":168},[11,578,579,582],{},[15,580,26],{"href":24,"rel":581},[19]," では K3s に標準搭載される Traefik Ingress Controller との連携も可能です。",[29,584,586],{"id":585},"acme-チャレンジの仕組みと選択","ACME チャレンジの仕組みと選択",[11,588,589,593,594,599],{},[15,590,99],{"href":591,"rel":592},"https:\u002F\u002Fletsencrypt.org\u002F",[19]," は ACME（Automatic Certificate Management Environment）プロトコルを使用して、ドメインの所有権を検証します。",[15,595,598],{"href":596,"rel":597},"https:\u002F\u002Fnotes.kodekloud.com\u002Fdocs\u002FKubernetes-Networking-Deep-Dive\u002FNetwork-Security\u002FCert-Manager-and-Lets-Encrypt-Overview\u002Fpage",[19],"KodeKloud の解説","によると、cert-manager は主に 2 つのチャレンジタイプをサポートしています。",[47,601,603],{"id":602},"http-01-チャレンジ","HTTP-01 チャレンジ",[141,605,607],{"className":331,"code":606,"language":333,"meta":146,"style":146},"solvers:\n- http01:\n    ingress:\n      class: nginx\n",[148,608,609,616,625,632],{"__ignoreMap":146},[151,610,611,614],{"class":153,"line":154},[151,612,613],{"class":340},"solvers",[151,615,365],{"class":218},[151,617,618,621,623],{"class":153,"line":161},[151,619,620],{"class":440},"-",[151,622,444],{"class":340},[151,624,365],{"class":218},[151,626,627,630],{"class":153,"line":181},[151,628,629],{"class":340},"    ingress",[151,631,365],{"class":218},[151,633,634,637,639],{"class":153,"line":191},[151,635,636],{"class":340},"      class",[151,638,344],{"class":218},[151,640,465],{"class":168},[54,642,643,650,656],{},[57,644,645,646,649],{},"let's encrypt がドメインの ",[148,647,648],{},"-.well-known-acme-challenge-"," エンドポイントにアクセスして検証",[57,651,652,655],{},[60,653,654],{},"メリット",": 設定がシンプル、追加の DNS 権限不要",[57,657,658,661],{},[60,659,660],{},"デメリット",": ポート 80 が外部からアクセス可能である必要がある、ワイルドカード証明書は非対応",[47,663,665],{"id":664},"dns-01-チャレンジ","DNS-01 チャレンジ",[141,667,669],{"className":331,"code":668,"language":333,"meta":146,"style":146},"solvers:\n- dns01:\n    cloudflare:\n      email: admin@example.com\n      apiTokenSecretRef:\n        name: cloudflare-api-token\n        key: api-token\n",[148,670,671,677,686,693,702,709,719],{"__ignoreMap":146},[151,672,673,675],{"class":153,"line":154},[151,674,613],{"class":340},[151,676,365],{"class":218},[151,678,679,681,684],{"class":153,"line":161},[151,680,620],{"class":440},[151,682,683],{"class":340}," dns01",[151,685,365],{"class":218},[151,687,688,691],{"class":153,"line":181},[151,689,690],{"class":340},"    cloudflare",[151,692,365],{"class":218},[151,694,695,698,700],{"class":153,"line":191},[151,696,697],{"class":340},"      email",[151,699,344],{"class":218},[151,701,409],{"class":168},[151,703,704,707],{"class":153,"line":198},[151,705,706],{"class":340},"      apiTokenSecretRef",[151,708,365],{"class":218},[151,710,711,714,716],{"class":153,"line":204},[151,712,713],{"class":340},"        name",[151,715,344],{"class":218},[151,717,718],{"class":168}," cloudflare-api-token\n",[151,720,721,724,726],{"class":153,"line":222},[151,722,723],{"class":340},"        key",[151,725,344],{"class":218},[151,727,728],{"class":168}," api-token\n",[54,730,731,734,739],{},[57,732,733],{},"DNS レコードにトークンを設定して検証",[57,735,736,738],{},[60,737,654],{},": ワイルドカード証明書をサポート、ポート 80 不要",[57,740,741,743],{},[60,742,660],{},": DNS プロバイダーの API 認証情報が必要",[11,745,746,751],{},[15,747,750],{"href":748,"rel":749},"https:\u002F\u002Fwww.thedougie.com\u002F2025\u002F11\u002F01\u002Fkubernetes-cert-manager-cloudflare-lets-encrypt\u002F",[19],"The Dougie Chronicles"," が詳しく解説しているように、Cloudflare を使った DNS-01 チャレンジは、特にワイルドカード証明書が必要な場合に最も一般的な選択肢です。",[11,753,754],{},"サポートされる DNS プロバイダー:",[54,756,757,764,771,778,785],{},[57,758,759],{},[15,760,763],{"href":761,"rel":762},"https:\u002F\u002Fwww.cloudflare.com\u002F",[19],"Cloudflare",[57,765,766],{},[15,767,770],{"href":768,"rel":769},"https:\u002F\u002Faws.amazon.com\u002Froute53\u002F",[19],"AWS Route 53",[57,772,773],{},[15,774,777],{"href":775,"rel":776},"https:\u002F\u002Fcloud.google.com\u002Fdns",[19],"Google Cloud DNS",[57,779,780],{},[15,781,784],{"href":782,"rel":783},"https:\u002F\u002Fazure.microsoft.com\u002Fservices\u002Fdns\u002F",[19],"Azure DNS",[57,786,787],{},"その他多数",[29,789,791],{"id":790},"ingress-との連携と自動証明書発行","Ingress との連携と自動証明書発行",[11,793,794,795,800],{},"cert-manager の最も強力な機能の一つが、",[15,796,799],{"href":797,"rel":798},"https:\u002F\u002Fcert-manager.io\u002Fdocs\u002Fusage\u002Fingress\u002F",[19],"Ingress リソースとの自動連携","です。",[47,802,803],{"id":803},"アノテーションによる自動発行",[141,805,807],{"className":331,"code":806,"language":333,"meta":146,"style":146},"apiVersion: networking.k8s.io\u002Fv1\nkind: Ingress\nmetadata:\n  name: my-app-ingress\n  annotations:\n    cert-manager.io\u002Fcluster-issuer: \"letsencrypt-prod\"\nspec:\n  tls:\n  - hosts:\n    - app.example.com\n    secretName: app-tls-secret\n  rules:\n  - host: app.example.com\n    http:\n      paths:\n      - path: \u002F\n        pathType: Prefix\n        backend:\n          service:\n            name: my-app\n            port:\n              number: 80\n",[148,808,809,818,827,833,842,849,865,871,878,888,895,905,912,923,930,938,952,963,971,979,990,998],{"__ignoreMap":146},[151,810,811,813,815],{"class":153,"line":154},[151,812,341],{"class":340},[151,814,344],{"class":218},[151,816,817],{"class":168}," networking.k8s.io\u002Fv1\n",[151,819,820,822,824],{"class":153,"line":161},[151,821,352],{"class":340},[151,823,344],{"class":218},[151,825,826],{"class":168}," Ingress\n",[151,828,829,831],{"class":153,"line":181},[151,830,362],{"class":340},[151,832,365],{"class":218},[151,834,835,837,839],{"class":153,"line":191},[151,836,370],{"class":340},[151,838,344],{"class":218},[151,840,841],{"class":168}," my-app-ingress\n",[151,843,844,847],{"class":153,"line":198},[151,845,846],{"class":340},"  annotations",[151,848,365],{"class":218},[151,850,851,854,856,859,862],{"class":153,"line":204},[151,852,853],{"class":340},"    cert-manager.io\u002Fcluster-issuer",[151,855,344],{"class":218},[151,857,858],{"class":218}," \"",[151,860,861],{"class":168},"letsencrypt-prod",[151,863,864],{"class":218},"\"\n",[151,866,867,869],{"class":153,"line":222},[151,868,380],{"class":340},[151,870,365],{"class":218},[151,872,873,876],{"class":153,"line":233},[151,874,875],{"class":340},"  tls",[151,877,365],{"class":218},[151,879,880,883,886],{"class":153,"line":241},[151,881,882],{"class":440},"  -",[151,884,885],{"class":340}," hosts",[151,887,365],{"class":218},[151,889,890,892],{"class":153,"line":252},[151,891,441],{"class":440},[151,893,894],{"class":168}," app.example.com\n",[151,896,897,900,902],{"class":153,"line":429},[151,898,899],{"class":340},"    secretName",[151,901,344],{"class":218},[151,903,904],{"class":168}," app-tls-secret\n",[151,906,907,910],{"class":153,"line":437},[151,908,909],{"class":340},"  rules",[151,911,365],{"class":218},[151,913,914,916,919,921],{"class":153,"line":449},[151,915,882],{"class":440},[151,917,918],{"class":340}," host",[151,920,344],{"class":218},[151,922,894],{"class":168},[151,924,925,928],{"class":153,"line":457},[151,926,927],{"class":340},"    http",[151,929,365],{"class":218},[151,931,933,936],{"class":153,"line":932},15,[151,934,935],{"class":340},"      paths",[151,937,365],{"class":218},[151,939,941,944,947,949],{"class":153,"line":940},16,[151,942,943],{"class":440},"      -",[151,945,946],{"class":340}," path",[151,948,344],{"class":218},[151,950,951],{"class":168}," \u002F\n",[151,953,955,958,960],{"class":153,"line":954},17,[151,956,957],{"class":340},"        pathType",[151,959,344],{"class":218},[151,961,962],{"class":168}," Prefix\n",[151,964,966,969],{"class":153,"line":965},18,[151,967,968],{"class":340},"        backend",[151,970,365],{"class":218},[151,972,974,977],{"class":153,"line":973},19,[151,975,976],{"class":340},"          service",[151,978,365],{"class":218},[151,980,982,985,987],{"class":153,"line":981},20,[151,983,984],{"class":340},"            name",[151,986,344],{"class":218},[151,988,989],{"class":168}," my-app\n",[151,991,993,996],{"class":153,"line":992},21,[151,994,995],{"class":340},"            port",[151,997,365],{"class":218},[151,999,1001,1004,1006],{"class":153,"line":1000},22,[151,1002,1003],{"class":340},"              number",[151,1005,344],{"class":218},[151,1007,1008],{"class":261}," 80\n",[11,1010,1011,1014],{},[148,1012,1013],{},"cert-manager.io\u002Fcluster-issuer"," アノテーションを追加するだけで、cert-manager が自動的に Certificate リソースを作成し、Let's Encrypt から証明書を取得して Kubernetes Secret に保存します。",[47,1016,1018],{"id":1017},"gateway-api-との連携","Gateway API との連携",[11,1020,1021],{},"Kubernetes Gateway API を使う場合も同様に対応しています：",[141,1023,1025],{"className":331,"code":1024,"language":333,"meta":146,"style":146},"apiVersion: gateway.networking.k8s.io\u002Fv1\nkind: HTTPRoute\nmetadata:\n  name: my-app-route\n  annotations:\n    cert-manager.io\u002Fcluster-issuer: \"letsencrypt-prod\"\nspec:\n  parentRefs:\n  - name: my-gateway\n  hostnames:\n  - \"app.example.com\"\n  rules:\n  - backendRefs:\n    - name: my-app\n      port: 80\n",[148,1026,1027,1036,1045,1051,1060,1066,1078,1084,1091,1103,1110,1121,1127,1136,1146],{"__ignoreMap":146},[151,1028,1029,1031,1033],{"class":153,"line":154},[151,1030,341],{"class":340},[151,1032,344],{"class":218},[151,1034,1035],{"class":168}," gateway.networking.k8s.io\u002Fv1\n",[151,1037,1038,1040,1042],{"class":153,"line":161},[151,1039,352],{"class":340},[151,1041,344],{"class":218},[151,1043,1044],{"class":168}," HTTPRoute\n",[151,1046,1047,1049],{"class":153,"line":181},[151,1048,362],{"class":340},[151,1050,365],{"class":218},[151,1052,1053,1055,1057],{"class":153,"line":191},[151,1054,370],{"class":340},[151,1056,344],{"class":218},[151,1058,1059],{"class":168}," my-app-route\n",[151,1061,1062,1064],{"class":153,"line":198},[151,1063,846],{"class":340},[151,1065,365],{"class":218},[151,1067,1068,1070,1072,1074,1076],{"class":153,"line":204},[151,1069,853],{"class":340},[151,1071,344],{"class":218},[151,1073,858],{"class":218},[151,1075,861],{"class":168},[151,1077,864],{"class":218},[151,1079,1080,1082],{"class":153,"line":222},[151,1081,380],{"class":340},[151,1083,365],{"class":218},[151,1085,1086,1089],{"class":153,"line":233},[151,1087,1088],{"class":340},"  parentRefs",[151,1090,365],{"class":218},[151,1092,1093,1095,1098,1100],{"class":153,"line":241},[151,1094,882],{"class":440},[151,1096,1097],{"class":340}," name",[151,1099,344],{"class":218},[151,1101,1102],{"class":168}," my-gateway\n",[151,1104,1105,1108],{"class":153,"line":252},[151,1106,1107],{"class":340},"  hostnames",[151,1109,365],{"class":218},[151,1111,1112,1114,1116,1119],{"class":153,"line":429},[151,1113,882],{"class":440},[151,1115,858],{"class":218},[151,1117,1118],{"class":168},"app.example.com",[151,1120,864],{"class":218},[151,1122,1123,1125],{"class":153,"line":437},[151,1124,909],{"class":340},[151,1126,365],{"class":218},[151,1128,1129,1131,1134],{"class":153,"line":449},[151,1130,882],{"class":440},[151,1132,1133],{"class":340}," backendRefs",[151,1135,365],{"class":218},[151,1137,1138,1140,1142,1144],{"class":153,"line":457},[151,1139,441],{"class":440},[151,1141,1097],{"class":340},[151,1143,344],{"class":218},[151,1145,989],{"class":168},[151,1147,1148,1151,1153],{"class":153,"line":932},[151,1149,1150],{"class":340},"      port",[151,1152,344],{"class":218},[151,1154,1008],{"class":261},[47,1156,1157],{"id":1157},"自動更新の仕組み",[11,1159,1160,1165,1166,1169],{},[15,1161,1164],{"href":1162,"rel":1163},"https:\u002F\u002Fmedium.com\u002F@tashikmoinsheikh\u002Fthe-ultimate-deep-dive-automating-ssl-tls-with-cert-manager-in-kubernetes-83c91ae11df4",[19],"Medium の詳細記事","が解説するように、cert-manager は証明書の有効期限を常に監視し、",[148,1167,1168],{},"renewBefore"," で指定された期間前に自動的に更新を実行します。Let's Encrypt の証明書は 90 日間有効で、デフォルトでは期限の 30 日前に更新が開始されます。",[141,1171,1173],{"className":331,"code":1172,"language":333,"meta":146,"style":146},"apiVersion: cert-manager.io\u002Fv1\nkind: Certificate\nmetadata:\n  name: app-tls\nspec:\n  secretName: app-tls-secret\n  duration: 2160h    # 90 日\n  renewBefore: 720h  # 30 日前に更新\n  issuerRef:\n    name: letsencrypt-prod\n    kind: ClusterIssuer\n  dnsNames:\n  - app.example.com\n  - www.app.example.com\n",[148,1174,1175,1183,1192,1198,1207,1213,1222,1235,1248,1255,1264,1273,1280,1286],{"__ignoreMap":146},[151,1176,1177,1179,1181],{"class":153,"line":154},[151,1178,341],{"class":340},[151,1180,344],{"class":218},[151,1182,347],{"class":168},[151,1184,1185,1187,1189],{"class":153,"line":161},[151,1186,352],{"class":340},[151,1188,344],{"class":218},[151,1190,1191],{"class":168}," Certificate\n",[151,1193,1194,1196],{"class":153,"line":181},[151,1195,362],{"class":340},[151,1197,365],{"class":218},[151,1199,1200,1202,1204],{"class":153,"line":191},[151,1201,370],{"class":340},[151,1203,344],{"class":218},[151,1205,1206],{"class":168}," app-tls\n",[151,1208,1209,1211],{"class":153,"line":198},[151,1210,380],{"class":340},[151,1212,365],{"class":218},[151,1214,1215,1218,1220],{"class":153,"line":204},[151,1216,1217],{"class":340},"  secretName",[151,1219,344],{"class":218},[151,1221,904],{"class":168},[151,1223,1224,1227,1229,1232],{"class":153,"line":222},[151,1225,1226],{"class":340},"  duration",[151,1228,344],{"class":218},[151,1230,1231],{"class":168}," 2160h",[151,1233,1234],{"class":157},"    # 90 日\n",[151,1236,1237,1240,1242,1245],{"class":153,"line":233},[151,1238,1239],{"class":340},"  renewBefore",[151,1241,344],{"class":218},[151,1243,1244],{"class":168}," 720h",[151,1246,1247],{"class":157},"  # 30 日前に更新\n",[151,1249,1250,1253],{"class":153,"line":241},[151,1251,1252],{"class":340},"  issuerRef",[151,1254,365],{"class":218},[151,1256,1257,1260,1262],{"class":153,"line":252},[151,1258,1259],{"class":340},"    name",[151,1261,344],{"class":218},[151,1263,375],{"class":168},[151,1265,1266,1269,1271],{"class":153,"line":429},[151,1267,1268],{"class":340},"    kind",[151,1270,344],{"class":218},[151,1272,357],{"class":168},[151,1274,1275,1278],{"class":153,"line":437},[151,1276,1277],{"class":340},"  dnsNames",[151,1279,365],{"class":218},[151,1281,1282,1284],{"class":153,"line":449},[151,1283,882],{"class":440},[151,1285,894],{"class":168},[151,1287,1288,1290],{"class":153,"line":457},[151,1289,882],{"class":440},[151,1291,1292],{"class":168}," www.app.example.com\n",[11,1294,1295,1298],{},[15,1296,131],{"href":129,"rel":1297},[19]," と連携すれば、証明書の更新失敗を AI が検知し、自動的に対処策を提案するワークフローの構築が可能です。",[29,1300,1301],{"id":1301},"トラブルシューティングとベストプラクティス",[47,1303,1304],{"id":1304},"よくある問題と解決策",[11,1306,1307,1312,1313,1318],{},[15,1308,1311],{"href":1309,"rel":1310},"https:\u002F\u002Foneuptime.com\u002Fblog\u002Fpost\u002F2026-02-09-cert-manager-letsencrypt-acme\u002Fview",[19],"oneuptime のガイド","や ",[15,1314,1317],{"href":1315,"rel":1316},"https:\u002F\u002Fwww.f5.com\u002Fcompany\u002Fblog\u002Fnginx\u002Fautomating-certificate-management-in-a-kubernetes-environment",[19],"F5 のベストプラクティス","を参考に：",[141,1320,1322],{"className":143,"code":1321,"language":145,"meta":146,"style":146},"# Certificate のステータス確認\nkubectl describe certificate app-tls -n default\n\n# CertificateRequest の確認\nkubectl get certificaterequest -n default\n\n# Order の確認（ACME の場合）\nkubectl get order -n default\n\n# Challenge の確認\nkubectl get challenge -n default\n\n# cert-manager のログ確認\nkubectl logs -n cert-manager -l app=cert-manager\n",[148,1323,1324,1329,1347,1351,1356,1369,1373,1378,1391,1395,1400,1413,1417,1422],{"__ignoreMap":146},[151,1325,1326],{"class":153,"line":154},[151,1327,1328],{"class":157},"# Certificate のステータス確認\n",[151,1330,1331,1333,1336,1339,1342,1344],{"class":153,"line":161},[151,1332,280],{"class":164},[151,1334,1335],{"class":168}," describe",[151,1337,1338],{"class":168}," certificate",[151,1340,1341],{"class":168}," app-tls",[151,1343,289],{"class":225},[151,1345,1346],{"class":168}," default\n",[151,1348,1349],{"class":153,"line":181},[151,1350,195],{"emptyLinePlaceholder":194},[151,1352,1353],{"class":153,"line":191},[151,1354,1355],{"class":157},"# CertificateRequest の確認\n",[151,1357,1358,1360,1362,1365,1367],{"class":153,"line":198},[151,1359,280],{"class":164},[151,1361,283],{"class":168},[151,1363,1364],{"class":168}," certificaterequest",[151,1366,289],{"class":225},[151,1368,1346],{"class":168},[151,1370,1371],{"class":153,"line":204},[151,1372,195],{"emptyLinePlaceholder":194},[151,1374,1375],{"class":153,"line":222},[151,1376,1377],{"class":157},"# Order の確認（ACME の場合）\n",[151,1379,1380,1382,1384,1387,1389],{"class":153,"line":233},[151,1381,280],{"class":164},[151,1383,283],{"class":168},[151,1385,1386],{"class":168}," order",[151,1388,289],{"class":225},[151,1390,1346],{"class":168},[151,1392,1393],{"class":153,"line":241},[151,1394,195],{"emptyLinePlaceholder":194},[151,1396,1397],{"class":153,"line":252},[151,1398,1399],{"class":157},"# Challenge の確認\n",[151,1401,1402,1404,1406,1409,1411],{"class":153,"line":429},[151,1403,280],{"class":164},[151,1405,283],{"class":168},[151,1407,1408],{"class":168}," challenge",[151,1410,289],{"class":225},[151,1412,1346],{"class":168},[151,1414,1415],{"class":153,"line":437},[151,1416,195],{"emptyLinePlaceholder":194},[151,1418,1419],{"class":153,"line":449},[151,1420,1421],{"class":157},"# cert-manager のログ確認\n",[151,1423,1424,1426,1429,1431,1433,1436],{"class":153,"line":457},[151,1425,280],{"class":164},[151,1427,1428],{"class":168}," logs",[151,1430,289],{"class":225},[151,1432,212],{"class":168},[151,1434,1435],{"class":225}," -l",[151,1437,1438],{"class":168}," app=cert-manager\n",[47,1440,1441],{"id":1441},"よくあるエラーと対処",[1443,1444,1445,1461],"table",{},[1446,1447,1448],"thead",{},[1449,1450,1451,1455,1458],"tr",{},[1452,1453,1454],"th",{},"エラー",[1452,1456,1457],{},"原因",[1452,1459,1460],{},"対処",[1462,1463,1464,1478,1494,1507],"tbody",{},[1449,1465,1466,1472,1475],{},[1467,1468,1469],"td",{},[148,1470,1471],{},"Waiting for HTTP-01 challenge",[1467,1473,1474],{},"ポート 80 がブロック",[1467,1476,1477],{},"ファイアウォール設定を確認",[1449,1479,1480,1485,1488],{},[1467,1481,1482],{},[148,1483,1484],{},"DNS record not yet propagated",[1467,1486,1487],{},"DNS 伝播の遅延",[1467,1489,1490,1493],{},[148,1491,1492],{},"--dns01-recursive-nameservers"," を設定",[1449,1495,1496,1501,1504],{},[1467,1497,1498],{},[148,1499,1500],{},"rate limited",[1467,1502,1503],{},"Let's Encrypt のレート制限",[1467,1505,1506],{},"ステージング環境でテスト",[1449,1508,1509,1514,1517],{},[1467,1510,1511],{},[148,1512,1513],{},"account is not registered",[1467,1515,1516],{},"ACME 登録の失敗",[1467,1518,1519],{},"email フィールドを確認",[47,1521,1522],{"id":1522},"セキュリティのベストプラクティス",[54,1524,1525,1528,1531,1539],{},[57,1526,1527],{},"ステージング Issuer でテストしてから本番 Issuer に切り替え",[57,1529,1530],{},"RBAC で Certificate リソースへのアクセスを制限",[57,1532,1533,1538],{},[15,1534,1537],{"href":1535,"rel":1536},"https:\u002F\u002Fapurv.me\u002Fposts\u002Fkubernetes-setup-cert-manager-automated-tls-management\u002F",[19],"Apurv のテックノート","が推奨するように、API トークンは Kubernetes Secret で安全に管理",[57,1540,1541,1542,1545],{},"証明書の監視アラートを設定（Prometheus メトリクス ",[148,1543,1544],{},"certmanager_certificate_expiration_timestamp_seconds","）",[29,1547,1548],{"id":1548},"まとめ",[11,1550,1551],{},"cert-manager は Kubernetes 環境における TLS 証明書管理の労力を劇的に削減します。本記事のポイントをまとめると：",[1553,1554,1555,1560,1565,1571,1577],"ol",{},[57,1556,1557,1559],{},[60,1558,20],{}," は証明書の発行・更新・管理を完全に自動化",[57,1561,1562,1564],{},[60,1563,99],{}," との連携で無料の TLS 証明書を自動取得",[57,1566,1567,1570],{},[60,1568,1569],{},"HTTP-01 \u002F DNS-01"," チャレンジの選択で様々な環境に対応",[57,1572,1573,1576],{},[60,1574,1575],{},"Ingress アノテーション"," で既存のワークロードに最小限の変更で導入",[57,1578,1579,1582],{},[60,1580,1581],{},"自動更新"," により証明書期限切れのリスクをゼロに",[11,1584,1585,1588,1589,1592],{},[15,1586,26],{"href":24,"rel":1587},[19]," は K3s ベースで CNCF エコシステムとの高い親和性を持ち、cert-manager の導入により安全なサービス公開を簡単に実現できます。Kubernetes 環境のセキュリティ強化に取り組む方は、ぜひ ",[15,1590,26],{"href":24,"rel":1591},[19]," をご検討ください。",[11,1594,1595,1596,1599,1600,1605],{},"AI を活用した Kubernetes 運用の自動化については、",[15,1597,131],{"href":129,"rel":1598},[19]," の詳細をご確認ください。導入のご相談は",[15,1601,1604],{"href":1602,"rel":1603},"https:\u002F\u002Fwww.hexabase.com\u002Fcontact-us\u002F",[19],"お問い合わせ","からお気軽にどうぞ。",[1607,1608,1609],"style",{},"html pre.shiki code .sbD-w, html code.shiki .sbD-w{--shiki-default:#51597D;--shiki-default-font-style:italic}html pre.shiki code .sE3pS, html code.shiki .sE3pS{--shiki-default:#C0CAF5}html pre.shiki code .sPY7s, html code.shiki .sPY7s{--shiki-default:#9ECE6A}html pre.shiki code .sAklC, html code.shiki .sAklC{--shiki-default:#89DDFF}html pre.shiki code .sT800, html code.shiki .sT800{--shiki-default:#E0AF68}html pre.shiki code .sOJ5S, html code.shiki .sOJ5S{--shiki-default:#FF9E64}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html pre.shiki code .s0U2E, html code.shiki .s0U2E{--shiki-default:#F7768E}html pre.shiki code .sgJMe, html code.shiki .sgJMe{--shiki-default:#9ABDF5}",{"title":146,"searchDepth":161,"depth":161,"links":1611},[1612,1616,1621,1625,1630,1635],{"id":31,"depth":161,"text":32,"children":1613},[1614,1615],{"id":49,"depth":181,"text":49},{"id":84,"depth":181,"text":85},{"id":135,"depth":161,"text":135,"children":1617},[1618,1619,1620],{"id":138,"depth":181,"text":139},{"id":265,"depth":181,"text":265},{"id":319,"depth":181,"text":320},{"id":585,"depth":161,"text":586,"children":1622},[1623,1624],{"id":602,"depth":181,"text":603},{"id":664,"depth":181,"text":665},{"id":790,"depth":161,"text":791,"children":1626},[1627,1628,1629],{"id":803,"depth":181,"text":803},{"id":1017,"depth":181,"text":1018},{"id":1157,"depth":181,"text":1157},{"id":1301,"depth":161,"text":1301,"children":1631},[1632,1633,1634],{"id":1304,"depth":181,"text":1304},{"id":1441,"depth":181,"text":1441},{"id":1522,"depth":181,"text":1522},{"id":1548,"depth":161,"text":1548},"2026-05-27","cert-manager を使って Kubernetes 環境の TLS 証明書を自動発行・自動更新する方法を解説。Let's Encrypt、ACME チャレンジ、Ingress 連携まで。","md","ja",{},"\u002Fblog\u002Fja\u002Fcert-manager-automatic-tls",{"title":5,"description":1637},"blog\u002Fja\u002Fcert-manager-automatic-tls",[20,1645,1646,99,1647,1648,1649,1650],"Kubernetes","TLS","ACME","CNCF","セキュリティ","証明書","RLTY1zwu5EPalnvKO1lDFHaOQP1ubSN4l-NAVhwbojg",1780391429769]