Cert-manager: Wildcard certificate does not work with http01 challenges
Is this a BUG REPORT or FEATURE REQUEST?:
/kind bug
What happened:
I can issue staging certificates for my domain with http01 challenges just fine, but once I try to issue a wildcard one it fails with resource validation.
What you expected to happen:
Wildcard certificates would work with http01 challenges, as the documentation does not mention any particular restriction about such scenario. If this is not a supported thing with http01 challenges perhaps it could be more explicit? Am I doing something wrong here?
How to reproduce it (as minimally and precisely as possible):
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: <e-mail-address>
http01: {}
privateKeySecretRef:
name: letsencrypt-staging
server: https://acme-staging-v02.api.letsencrypt.org/directory
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: internal.foo.bar
namespace: default
spec:
secretName: internal.foo.bar
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
commonName: internal.foo.bar
dnsNames:
- internal.foo.bar
acme:
config:
- http01:
ingressClass: nginx
domains:
- internal.foo.bar
This results in a certificate being correctly issued:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal DomainVerified 14m cert-manager Domain "internal.foo.bar" verified with "http-01" validation
Normal IssueCert 14m cert-manager Issuing certificate...
Normal CertObtained 14m cert-manager Obtained certificate from ACME server
Normal CertIssued 14m cert-manager Certificate issued successfully
But once I edit domains and dnsNames to "*.internal.foo.bar" with double quotes I get this (and nothing else shows up in the cert-manager deployment logs:
Conditions:
Last Transition Time: 2018-07-24T12:18:11Z
Message: Resource validation failed: spec.acme.config: Required value: no ACME solver configuration specified for domain "internal.foo.bar"
Reason: ConfigError
Status: False
Type: Ready
Environment:
- Kubernetes version (use
kubectl version):
Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.1", GitCommit:"b1b29978270dc22fecc592ac55d903350454310a", GitTreeState:"clean", BuildDate:"2018-07-18T11:37:06Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"9+", GitVersion:"v1.9.7-gke.3", GitCommit:"9b5b719c5f295c99de68ffb5b63101b0e0175376", GitTreeState:"clean", BuildDate:"2018-05-31T18:32:23Z", GoVersion:"go1.9.3b4", Compiler:"gc", Platform:"linux/amd64"}
- Cloud provider or hardware configuration**: GCP but I am not using their DNS stuff
caiobegotti
All 4 comments
See https://community.letsencrypt.org/t/wildcard-certificates-via-http-01/51223/17
Lets Encrypt isn't going to support wildcard domains with HTTP-01 challenges. We should probably make this more clear with documentation + better validation messages
kragniz
on 24 Jul 2018
FWIW, the validation message is correct. Based on But once I edit domains and dnsNames to "*.internal.foo.bar" with double quotes I get this (and nothing else shows up in the cert-manager deployment logs: - it sounds like you left the commonName set to internal.foo.bar.
If you were to fix this, I think you would see a more useful error message 馃槃
munnerz
on 24 Jul 2018
(but I do agree, we should be more explicit in our documentation about wildcard certs from ACME servers!)
munnerz
on 24 Jul 2018
Thanks guys, it makes sense now given http01 limitation for Let's Encrypt :-)
caiobegotti
on 25 Jul 2018
Related issues
apetheriotis
路
3Comments
munjal-patel
路
3Comments
jonathan-kosgei
路
4Comments
matthew-muscat
路
4Comments
jakubknejzlik
路
3Comments
Most helpful comment
See https://community.letsencrypt.org/t/wildcard-certificates-via-http-01/51223/17
Lets Encrypt isn't going to support wildcard domains with HTTP-01 challenges. We should probably make this more clear with documentation + better validation messages