Describe the bug
cert-manager does not create _acme-challenge.[*]
record for the ACME challenge at simply.com
by using simply.com implementation of dns-01
webhook .
Expected behavior
_well-know record is created based on challenged received.
Additional context
I have a Kubernetes cluster (K3S) that I have installed by using the quickstart guide and then installed cert-manager by using Helm.
I want to use your webhook, since my DNS provider is Simply.com, but unfortunately I ran into a few troubles:
First off: If I install simply-dns-webhook
by calling:
helm install simply-dns-webhook simply-dns-webhook/simply-dns-webhook --version 1.5.4
Then I will run into a permission error when I try to issue a certificate using ClusterIssuer
.
It appears the role that reads the secrets from the cert-manager
namespace is stored in the default namespace and is therefore not allowed to read secrets from the cert-manager namespace.
This is easily mitigated by adding -n cert-manager
to the helm install ...
command. :-)
Which leads my to my real issue.
I want to use the simply.com webhook to get certificates issued by Let's Encrypt.
Therefore I have created letsencrypt-staging.yaml
with the following content:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: [email protected]
privateKeySecretRef:
name: letsencrypt-staging-key
server: https://acme-staging-v02.api.letsencrypt.org/directory
solvers:
- dns01:
webhook:
groupName: com.github.runnerm.cert-manager-simply-webhook
solverName: simply-dns-solver
config:
secretName: simply-credentials
selector:
dnsZones:
- 'cluster.example.com'
- '*.cluster.example.com'
To generate my test certificate I have a file called test-certificate.yaml
with the following content:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: test-certificate
spec:
dnsNames:
- test.cluster.example.com
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
secretName: test-certificate-tls
I should then be able to get a certificate by first creating the ClusterIssuer with kubectl apply -f letsencrypt-staging.yaml
and request for a certificate with kubectl apply -f test-certificate.yaml
.
Unfortunately this does not happen because output from kubectl get certs
reveals the following result:
NAME READY SECRET AGE
test-certificate False test-certificate-tls 52m
Screenshots/Logs
Output from kubectl events
gives:
LAST SEEN TYPE REASON OBJECT MESSAGE
53m Normal Issuing Certificate/test-certificate Issuing certificate as Secret does not exist
53m Normal Generated Certificate/test-certificate Stored new private key in temporary Secret resource "test-certificate-vjnhx"
53m Normal Requested Certificate/test-certificate Created new CertificateRequest resource "test-certificate-1"
53m Normal WaitingForApproval CertificateRequest/test-certificate-1 Not signing CertificateRequest until it is Approved
53m Normal WaitingForApproval CertificateRequest/test-certificate-1 Not signing CertificateRequest until it is Approved
53m Normal WaitingForApproval CertificateRequest/test-certificate-1 Not signing CertificateRequest until it is Approved
53m Normal WaitingForApproval CertificateRequest/test-certificate-1 Not signing CertificateRequest until it is Approved
53m Normal WaitingForApproval CertificateRequest/test-certificate-1 Not signing CertificateRequest until it is Approved
53m Normal cert-manager.io CertificateRequest/test-certificate-1 Certificate request has been approved by cert-manager.io
53m Normal OrderCreated CertificateRequest/test-certificate-1 Created Order resource default/test-certificate-1-1965387138
53m Normal OrderPending CertificateRequest/test-certificate-1 Waiting on certificate issuance from order default/test-certificate-1-1965387138: ""
53m Normal Created Order/test-certificate-1-1965387138 Created Challenge resource "test-certificate-1-1965387138-1295925723" for domain "test.cluster.example.com"
53m Normal Started Challenge/test-certificate-1-1965387138-1295925723 Challenge scheduled for processing
53m Normal Presented Challenge/test-certificate-1-1965387138-1295925723 Presented challenge using DNS-01 challenge mechanism
Output from kubectl describe challenge test-certificate-1-1965387138-1295925723
reveals amongst others the following lines:
Status:
Presented: true
Processing: true
Reason: Waiting for DNS-01 challenge propagation: DNS record for "test.cluster.example.com" not yet propagated
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 59m cert-manager-challenges Challenge scheduled for processing
Normal Presented 59m cert-manager-challenges Presented challenge using DNS-01 challenge mechanism
And when I login Simply.com website then I cannot see any records containing the word _acme-challenge
, which is used by the ACME protocol.
I can see In your code that you handoff communication with Simply.com to simply-com-client
, but I cannot see any debug information about whether not the client is getting called or if there is an authentication error between the client and Simply.com?
Where can I look to debug further?