Reputation: 670
How to pass DNS validation for internal cluster domain for a kubernetes cert-manager ACME certificate
I run a kubernetes cluster with cert-manager installed for managing ACME (Let's Encrypt) certificates. I'm using DNS domain validation with Route 53 and it works all fine.
The problem comes when I try to issue a certificate for a cluster internal domain. In this case domain validation does not pass since the validation challenge is presented on external Route53 zone only, while cert-manager is trying to look for domain name via cluster internal DNS.
Any hints on how this can be solved are welcome.
Upvotes: 1
Views: 1921
Answers (1)
Reputation: 546
Assuming that you don't control public DNS for your cluster internal domain, you will not be able to receive LetsEncrypt certificates for it.
You may however set up another issuer that will grant you certificates for this domain, e.g. the SelfSigned issuer: https://cert-manager.io/docs/configuration/selfsigned/
Then set the issuerRef of your certificate object to point to your SelfSigned issuer:
(...)
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io
Upvotes: 1
Related Questions
- Resolve custom dns in kubernetes cluster (AKS)
- Is the annotation cert-manager.io/cluster-issuer: acme-issuer enough to generate a TLS certificate?
- ClusterIssuer with Cloudflare based DNS solver
- SSL Certificates on Kubernetes Using ACME
- how to set cluster dns to using coredns
- Proper offloading of certificate when using DNS
- Couldn't validate certificates for *.*.compute internal hostnames in AWS
- Kubernetes kube-dns TLS certificate validation
- Setting Kubernetes DNS cluster addon for high availability
- Resolve domain name to Kubernetes service internally