issuer (legacy)

Legacy/manual TLS surface

1ctl issuer is legacy/manual documentation. It was not present in the current user-facing 1ctl --help verified for v0.8.3. Current deploy and domain flows should manage TLS through the platform route/domain path. Use this page only for historical cert-manager context or platform debugging.

1ctl issuer manages cert-manager Issuer resources. An Issuer tells cert-manager how to obtain a TLS certificate for your domain: which ACME server to use, which email address to register, and which challenge method to use to prove domain ownership.

Satusky uses Let’s Encrypt ACME with HTTP-01 challenges. When a public route references an Issuer via its cert-manager.io/issuer annotation, cert-manager handles the full certificate lifecycle — issuance and renewal — without any manual steps.

1ctl issuer create → K8s Issuer CRD → cert-manager → ACME HTTP-01 challenge → Let's Encrypt → TLS cert stored as K8s Secret

1ctl deploy --domain <domain> creates an Issuer automatically alongside the Service and public route. Use 1ctl issuer commands only when you need to manage Issuers separately — for example, to rotate the contact email, to switch between staging and production, or to recreate a broken Issuer.

Commands

1ctl issuer create

1ctl issuer create --deployment-id <id> --email <email> [--environment <production|staging>]

Creates a cert-manager Issuer in the deployment’s Kubernetes namespace. Once created, the Issuer is referenced automatically by any public route for that deployment that carries the cert-manager.io/issuer annotation.

Flags

Flag	Short	Default	Description
--deployment-id <id>		required	ID of the deployment to create the Issuer for.
--email <email>		required	Email address registered with Let’s Encrypt. Used for certificate expiry notifications and recovery.
--environment <env>		production	production for trusted certificates; staging for Let’s Encrypt’s test CA. See Staging vs Production below.

Under the hood:

1. POST /v1/cli/issuers
2. A Kubernetes Issuer CRD is created in the deployment’s namespace with the ACME configuration
3. cert-manager detects the new Issuer and registers with Let’s Encrypt using the provided email
4. When a public route references this Issuer, cert-manager triggers an HTTP-01 challenge: it temporarily adds a /.well-known/acme-challenge/ path to the route, Let’s Encrypt fetches it, and on success cert-manager stores the signed certificate as a Kubernetes Secret named {app-label}-letsencrypt-nginx-private-key-tls
5. cert-manager automatically renews the certificate before it expires (typically 30 days before the 90-day Let’s Encrypt expiry)

Examples

# Create a production issuer
1ctl issuer create \
  --deployment-id dep_01abc \
  --email [email protected]

# Create a staging issuer for testing
1ctl issuer create \
  --deployment-id dep_01abc \
  --email [email protected] \
  --environment staging

---

1ctl issuer list

1ctl issuer list

Lists all Issuers in the current organisation with their status. The status reflects what cert-manager has reported: Ready means the Issuer has successfully registered with the ACME server and can issue certificates; any other status indicates a configuration or connectivity problem.

Flags

Flag	Short	Default	Description
--output	-o	table	Output format: table or json.

Examples

1ctl issuer list
1ctl issuer list -o json

---

1ctl issuer delete

1ctl issuer delete -i <issuer-id> [-y]

Deletes an Issuer. Removing an Issuer stops automatic certificate renewal for any public route that references it. The existing TLS Secret is not deleted — traffic will continue to be served over HTTPS until the certificate expires, after which the route will serve an expired certificate or fall back to HTTP depending on gateway configuration.

If you recreate the Issuer before the certificate expires, cert-manager will resume managing it automatically.

Flags

Flag	Short	Default	Description
--issuer-id <id>	-i	required	ID of the Issuer to delete. Use 1ctl issuer list to look up IDs.
--yes	-y	false	Skip the confirmation prompt.

Examples

# Delete with confirmation
1ctl issuer delete -i iss_03jkl

# Delete without prompting
1ctl issuer delete -i iss_03jkl -y

---

Staging vs Production

Let’s Encrypt operates two environments. Choose based on what you are doing:

	Production	Staging
CA	Let’s Encrypt (trusted by browsers)	Let’s Encrypt Staging (not trusted)
Certificate valid for HTTPS	Yes	No — browsers show a security warning
Rate limits	Strict (5 duplicate certs per week)	Relaxed
When to use	Live traffic	Testing certificate issuance without hitting rate limits

Use --environment staging when:

• You are iterating on your route or DNS configuration and may need to recreate the Issuer multiple times
• You want to verify that cert-manager and the ACME challenge work end-to-end before going live

Switch to --environment production (the default) once your configuration is confirmed.

# 1. Test with staging first
1ctl issuer create \
  --deployment-id dep_01abc \
  --email [email protected] \
  --environment staging

# 2. Verify cert-manager reaches Ready status
1ctl issuer list

# 3. Delete the staging issuer and recreate for production
1ctl issuer delete -i iss_staging_id -y
1ctl issuer create \
  --deployment-id dep_01abc \
  --email [email protected] \
  --environment production

---

Certificate storage

The TLS certificate issued for a deployment is stored as a Kubernetes Secret in the same namespace as the Issuer:

{app-label}-letsencrypt-nginx-private-key-tls

cert-manager creates and manages this Secret. Do not delete it manually — if it is missing, cert-manager will re-issue the certificate, which counts against Let’s Encrypt production rate limits.