Reputation: 51
cert-manager DNS01 Challenge fails - found no zone for wildcard domain
I'm getting this error in wildcard certificate challenge:
Error presenting challenge: Found no Zones for domain _acme-challenge.my-domain.com. (neither in the sub-domain noir in the SLD) please make sure your domain-entries in the config are correct and the API is correctly setup with Zone.read rights.
I'm using Cloudflare as the DNS01 Challenge Provider and have set up the API token with the permissions described in the cert-manager documentation.
My cluster issuer looks like this:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: test-issuer
spec:
acme:
email: <email>
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: test-issuer-private-key
solvers:
- dns01:
cloudflare:
email: <email>
apiTokenSecretRef:
name: issuer-access-token
key: api-token
And my certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: test-wildcard
spec:
secretName: test-wildcard-tls
issuerRef:
name: test-issuer
kind: ClusterIssuer
dnsNames:
- "*.my-domain.com"
I have CNAME record with ‘*’ name that points to my domain and an A record that points to my Kubernetes cluster IP.
Am I missing something? How do you correctly set up cert-manager to automatically manage wildcard domain with Cloudflare as DNS01 Challenge Provider?
Upvotes: 3
Views: 5982
Answers (1)
Reputation: 73
I've run into this issue as well, and I realized that I made two different errors in my configuration.
#1: I had overlooked that the API Token that you generate must have all of the following permissions and zone resources associated to it:
- Permissions
Zone.Zone.ReadZone.Zone.Edit
- Zone Resources
Include.All zones
This is in the docs but clearly I wasn't reading correctly.
#2: I wasn't able to make it work with the dnsNames attribute in the Certificate resource, but rather needed to use dnsZones instead. In your example, try changing from:
dnsNames:
- "*.my-domain.com"
to:
dnsZones:
- "my-domain.com"
According to this docs (emphasis mine):
Note: dnsNames take an exact match and do not resolve wildcards, meaning the following Issuer will not solve for DNS names such as foo.example.com. Use the dnsZones selector type to match all subdomains within a zone.
This should generate a certificate with a CN of *.my-domain.com and with both *.my-domain.com and my-domain.com in the subjectAltName field.
Upvotes: 4
Related Questions
- wildcard certificate does not work for sub-domain
- How to add a certificate to a sub-sub-domain with Cloudflare?
- Certmanager Cross Project DNS01 Challenge Fail
- Cert-manager fails to complete dns01 challenge with cloudflare
- Wildcard SSL certificate on Google App Engine + Cloudflare
- Unable to create wildcard (*) Cert with Kubernetes and Letsencrypt using Azure DNS zone
- Wildcard certificate from Cloudflare 'Origin Certificates' is not working with Azure webApps
- SSL error for subdomains with cloudflare
- Wildcard cert installed in Apache but subdomain fails browser check
- Wildcard SSL Certificates, Custom Domain Names, and Cloudflare