aellwein / cert-manager-webhook-netcup Goto Github PK

Originally posted by @DerKnerd in cert-manager/cert-manager#4885 (comment)

Could you maybe extend it to support DNS records which are configured via *?

@DerKnerd Of course. I will test it, but i need to do modify my configuration first. Please stay tuned ;-)

See this discussion for details.

Hi there!

First of all: thanks Alex for such a great component, it has been very helpful for me :-)

I have been using this webhook for the last year (every single version of it) along with cert-manager 1.9.1 at different cloud providers (managed and self-managed) and has always worked perfectly.

Sadly, since last release(1.0.16), new provisioned clusters(at every provider) are getting an error when presenting the DNS challenge to Netcup, more precisely, describing the Challenge object outputs:

Error presenting challenge: unable to login to netcup API: Post "https://ccp.netcup.net/run/webservice/servers/endpoint.php?JSON": tls: failed to verify certificate: x509: certificate signed by unknown authority

What I've tried without success:

• Upgrading cert-manager to every version up to 1.12.2
• Rotating Netcup API password

What I've tried with success:

• Downgrading cert-manager-webhook-netcup to 1.0.15

So, it looks like everything points at this new release.

Please tell me if I can support you with further testing of this issue.

Again, thanks a lot for your precious time!

I created the following ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: netcup-issuer
  namespace: certmanager-system
spec:
  acme:
    email: [email protected]
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: netcup-le-secret
    solvers:
    - dns01:
        webhook:
          groupName: com.netcup.webhook
          solverName: netcup
          config:
            secretRef: netcup-secret
            secretNamespace: certmanager-system

But when requesting a certificate I get the following error:

cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="netcup.com.netcup.webhook is forbidden: User \"system:serviceaccount:certmanager-system:certmanager-cert-manager\" cannot create resource \"netcup\" in API group \"com.netcup.webhook\" at the cluster scope" "key"="longhorn-system/cm-storage-tls-jn5t9-848227378-862895558"

I installed with the following commands:

helm repo add cert-manager-webhook-netcup https://aellwein.github.io/cert-manager-webhook-netcup/charts/
helm install cert-manager-webhook-netcup cert-manager-webhook-netcup/cert-manager-webhook-netcup --namespace certmanager-system

The name from the install comand differs from the example in the readme

Currently this is published on dockerhub only, would it be possible to publish a container image on ghcr as well?

i own a domain example.com.

In an Ingress i'd like to run the DNS01 Challenge for a host *.app.example.com.
When i do this, the netcup webhook isn't able to find the resource app.example.com since i only have example.com.

Is there a specific workflow for this?

try to get a certificate based on my netcup domain. Unfortunally it fails as found in cert-manager pod log

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: kube-mydomain-net-cert
  namespace: cert-manager
spec:
  commonName: 'kube.mydomain.net'
  secretName: kube-mydomain-net-cert
  dnsNames:
    - 'kube.mydomain.net'
    - '*.kube.mydomain.net'
  issuerRef:
    name: letsencrypt-staging-netcup
    kind: ClusterIssuer

But it will not fullfill the certificate request. I know i have to wat about 10min to propagate, but its still pending also for a day.

I0524 18:35:21.307621 1 dns.go:88] cert-manager/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="kube.mydomain.net" "domain"="kube.mydomain.net" "resource_kind"="Challenge" "resource_name"="kube-mydomain-net-cert-g47p8-752194941-2691253898" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01" E0524 18:35:21.432257 1 controller.go:166] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="unable to parse host/domain out of resolved FQDN ('_acme-challenge.kube.mydomain.net.')" "key"="cert-manager/kube-mydomain-net-cert-g47p8-752194941-2691253898"

a query with dig provides the soa entry set to define, wihich domain is authorative

dig @root-dns.netcup.net _acme-challenge.pvekube.tdressler.net. soa txt
;; Warning, extra type option

; <<>> DiG 9.16.1-Ubuntu <<>> @root-dns.netcup.net _acme-challenge.kube.mydomain.net. soa txt
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22304
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2585cb374e444deff7dc9acf628d289675d83ae79e8368ec (good)
;; QUESTION SECTION:
;_acme-challenge.kube.mydomain.net. IN TXT

;; AUTHORITY SECTION:
mydomain.net. 86400 IN SOA root-dns.netcup.net. dnsadmin.netcup.net. 2022052356 28800 7200 1209600 86400

subdomain kube doesnt exists, but other providers (like hetzner) are still greating an "_acme-challenge.kube" TXT record in mydomain

looking into the webhook code the mentioned dnsName '_acme-challenge.kube.mydomain.net. matches the regexp which triggers this message using a regexp tester
Maybe this line below is the problem?
if match != nil {
should be
if match == nil {

Hi and thank you for your work on this helm-chart. That's exactly what I need. When I execute
"helm install my-cert-manager-webhook-netcup cert-manager-webhook-netcup/cert-manager-webhook-netcup --namespace cert-manager",

I get the error-message "* Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://cert-manager-webhook.cert-manager.svc:443/validate?timeout=30s": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-06-03T05:12:52Z is after 2024-06-01T09:43:35Z"

What can be done to fix this?

Thank you very much!

Best regards,
Hendrik