INT 21h

Hi, I am Vladimir Smagin, SysAdmin and

Kaptain. Telegram Email / GIT / Thingiverse / RSS / GPG

cert-manager can’t resolve new domain to perform HTTP01 challenge

№ 10443 В разделе "Sysadmin" от December 14th, 2019,
В подшивках: cert-manager, Helm, Kubernetes

In ingress resource you created new domain to perform HTTP01 challenge and obtain new LE certificate but something goes wrong in log file:

E1214 14:35:06.644315 1 sync.go:183] cert-manager/controller/challenges "msg"="propagation check failed" "error"="failed to perform self check GET request 'http://test.k8s.blindage.org/.well-known/acme-challenge/nmxxZh0K7iXuOnqGRm52PqymHj8YFVpN2MryLfRdVoU': Get http://test.k8s.blindage.org/.well-known/acme-challenge/nmxxZh0K7iXuOnqGRm52PqymHj8YFVpN2MryLfRdVoU: dial tcp: lookup test.k8s.blindage.org on 10.245.0.10:53: no such host" "dnsName"="test.k8s.blindage.org" "resource_kind"="Challenge" "resource_name"="tls-test-k8s-blindage-org-749846670-0" "resource_namespace"="testing" "type"="http-01"

… and this error repeats multiple times without any progress. Its managed Kubernetes in DigitalOcean.

To solve this problem just uncomment these lines in Helm chart of cert-manager to provide your own nameservers:

podDnsPolicy: "None"
podDnsConfig:
  nameservers:
    - "1.1.1.1"
    - "8.8.8.8"

Voila! You got new certificate.

Нет комментариев »

Helm: generate certs for all hosts in ingress.tls

№ 10106 В разделе "Sysadmin" от July 1st, 2019,
В подшивках: cert-manager, Helm, Kubernetes

{{- if .Values.ingress.tls }}
  {{- range .Values.ingress.tls }}
      {{- $secretName := .secretName -}}
      {{- range .hosts }}
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: {{ $fullName }}
spec:
  acme:
    config:
    - dns01:
        provider: route53
      domains:
      - {{ . }}
  commonName: ""
  dnsNames:
  - {{ . }}
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt
  secretName: {{ $secretName }}
    {{- end }}
  {{- end }}
{{- end }}

Нет комментариев »

Перейти наверх