Add TLS certificates for a new hostname

Every hostname served by an instance of the Rubin Science Platform must have its own TLS certificate, generated by cert-manager, unless that environment is configured to use external certificates. When adding a new hostname to an existing environment, one must therefore repeat part of the instructions in cert-manager. Here are those abbreviated instructions.

These instructions are specific to environments that use Route 53.

The hostname must be in the same domain that is already used as the primary hostname of the environment. See Setting up Route 53 for cert-manager and cert-manager for the details of that setup.


In the following, <hostname> is the new hostname that needs a TLS certificate. <domain> is the domain shared by that hostname and the primary fully-qualified domain name for that cluster. For example, when adding, the hostname is alert-stream-int-broker-0 and the domain name is

  1. Go to the Route 53 UI for the domain used by this RSP environment. In the above example, that would be

  2. Create a CNAME named _acme-challenge.<hostname> whose value is _acme-challenge.tls.<domain>. Do this by adding a new record, selecting CNAME from the lower drop-down menu, and then selecting IP address or other value from the top drop-down menu. Then, enter _acme-challenge.tls.<domain> as the CNAME target.

This should be all that’s required to allow cert-manager to create certificates for that hostname. You will then need to configure the tls portion of the relevant Ingress or GafaelfawrIngress object. For more information on how to do that, see cert-manager.