waldner / cert-manager-webhook-he Goto Github PK
View Code? Open in Web Editor NEW`cert-manager` webook to use HE DNS as ACME DNS01 solver
License: GNU General Public License v3.0
cert-manager-webhook-he's Introduction
cert-manager-webhook-he's People
Contributors
Stargazers
Watchers
cert-manager-webhook-he's Issues
Webhook changes TXT record to UNUSED before Certificate is issued
I am trying to request a Let's Encrypt certificate from the prod servers and it fails because the webhook changes the TXT record to 'UNUSED' before the Certificate challange passes. Here is the output from the webhook-he pod: (identifing data has been scrubbed)
I0304 13:27:09.960605 1 utils.go:180] "AddTxtRecordWithDynamicDns" rn="_acme-challenge.test01" domain="example.com" key="71E_----REDACTED-----7g"
I0304 13:27:10.774033 1 utils.go:213] "Successfully added record"
I0304 13:27:10.774493 1 trace.go:219] Trace[285684238]: "Create" accept:application/json, */*,audit-id:fcd43d9d-20c5-4aa9-860c-83c4145c6f9e,client:172.30.68.48,protocol:HTTP/2.0,resource:he,scope:resource,url:/apis/acme.example.com/v1alpha1/he,user-agent:cert-manager-challenges/v1.14.2 (linux/amd64) cert-manager/306e329365989f205185024a86de9b9d4bad10a5,verb:POST (04-Mar-2024 13:27:09.957) (total time: 817ms):
Trace[285684238]: ---"Write to database call succeeded" len:434 816ms (13:27:10.774)
Trace[285684238]: [817.174916ms] [817.174916ms] END
I0304 13:28:12.496592 1 utils.go:222] "RemoveTxtRecordWithDynamicDns" rn="_acme-challenge.test01" domain="example.com" key="71E_----REDACTED-----7g"
I0304 13:28:13.221864 1 utils.go:259] "Successfully deleted record"
I0304 13:28:13.222142 1 trace.go:219] Trace[1487491422]: "Create" accept:application/json, */*,audit-id:b07e9962-8574-4432-8504-b669635db4fe,client:172.30.68.48,protocol:HTTP/2.0,resource:he,scope:resource,url:/apis/acme.example.com/v1alpha1/he,user-agent:cert-manager-challenges/v1.14.2 (linux/amd64) cert-manager/306e329365989f205185024a86de9b9d4bad10a5,verb:POST (04-Mar-2024 13:28:12.493) (total time: 728ms):
Trace[1487491422]: ---"Write to database call succeeded" len:434 728ms (13:28:13.221)
Trace[1487491422]: [728.643916ms] [728.643916ms] END
And here is what the cert-manager pod says:
E0304 13:28:12.475221 1 sync.go:379] "error waiting for authorization" err="acme: authorization error for test01.example.com: 403 urn:ietf:params:acme:error:unauthorized: Incorrect TXT record \"UNUSED\" found at _acme-challenge.test01.example.com" logger="cert-manager.challenges.acceptChallenge" resource_name="keycloak-test01-example-com-1-1539588171-1287627194" resource_namespace="keycloak" resource_kind="Challenge" resource_version="v1" dnsName="test01.example.com" type="DNS-01"
I0304 13:28:12.697902 1 conditions.go:192] Found status change for Certificate "keycloak-test01-example-com" condition "Issuing": "True" -> "False"; setting lastTransitionTime to 2024-03-04 13:28:12.697886206 +0000 UTC m=+266562.997776826
Webhook fails with following errors
The issuing of the certificate is blocked with this error on the ACME order:
Failed to determine a valid solver configuration for the set of domains on the Order: no configured challenge solvers can be used for this challenge
I get this in the pod logs:
W0219 11:31:20.631873 1 reflector.go:424] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:169: failed to list *v1beta3.FlowSchema: the server could not find the requested resource E0219 11:31:20.631917 1 reflector.go:140] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:169: Failed to watch *v1beta3.FlowSchema: failed to list *v1beta3.FlowSchema: the server could not find the requested resource W0219 11:31:43.586609 1 reflector.go:424] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:169: failed to list *v1beta3.PriorityLevelConfiguration: the server could not find the requested resource E0219 11:31:43.586918 1 reflector.go:140] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:169: Failed to watch *v1beta3.PriorityLevelConfiguration: failed to list *v1beta3.PriorityLevelConfiguration: the server could not find the requested resource
TXT record fails to update with badauth but password is correct
Hello, it's me again. :)
I'm trying to deploy the webhook to more clusters with ArgoCD and while the deploy worked fine, the TXT update function is failing with badauth even though the secret for dyndns is correct.
This is the output from the pod:
I0328 14:58:21.120481 1 utils.go:180] "AddTxtRecordWithDynamicDns" rn="_acme-challenge.test02" domain="company.com" key="REDACTED"
E0328 14:58:21.843650 1 main.go:105] "Error during Present" err="submission failed, response body is 'badauth'"
I0328 14:58:21.844096 1 trace.go:219] Trace[1717055975]: "Create" accept:application/json, */*,audit-id:90f96921-ccca-4407-bf3c-6d38a6b179a0,client:172.X.X.X,protocol:HTTP/2.0,resource:he,scope:resource,url:/apis/acme.xdb.me/v1alpha1/he,user-agent:cert-manager-challenges/v1.14.2 (linux/amd64) cert-manager/306e329365989f2051xxxx86de9b9d4bad10a5,verb:POST (28-Mar-2024 14:58:21.120) (total time: 723ms):
Trace[1717055975]: ---"Write to database call succeeded" len:434 723ms (14:58:21.843)
Trace[1717055975]: [723.755418ms] [723.755418ms] END
I've tested out the secret with:
curl "https://dyn.dns.he.net/nic/update?hostname=_acme-challenge.test02.company.com&password=$(k get secret he-credentials -n cert-manager -oyaml | yq .data.apiKey | base64 -d)&txt=test99"
Output: good
And I can see the TXT record updated after the curl command.
Here is the values file used to install the webhook:
groupName: acme.xdb.me
certManager:
namespace: cert-manager
serviceAccountName: cert-manager
image:
repository: ghcr.io/waldner/cert-manager-webhook-he
tag: 0.0.2
pullPolicy: IfNotPresent
nameOverride: ""
fullnameOverride: ""
service:
type: ClusterIP
port: 443
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
auth:
useSecrets: true
# override these if `useSecrets` is false
heUsername: ""
hePassword: ""
heApiKey: ""
rbac:
# This controls which namespaces the webhook will be able to read
# secrets from. BEWARE: AN EMPTY ARRAY MEANS THAT A ClusterRole WILL BE CREATED.
secretNamespaces: [cert-manager]
secretNames:
- he-credentials
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.