Cert-manager: Docs are not clear about setting dns01-self-check-nameservers

Created on 24 Dec 2018 · 6Comments · Source: jetstack/cert-manager

Is your feature request related to a problem? Please describe.
The problem is I have never used helm before until now. I'm not sure how to set the --dns01-self-check-nameservers "8.8.8.8:53,1.1.1.1:53" properly in command line.

I'm happy to make a PR on the docs if this is explained a little bit better as to how to set this with helm.

Describe the solution you'd like
better documentation on how to set the self-check-nameservers properly.

Describe alternatives you've considered
Attempt 1:

helm install \
--name cert-manager \
--version ${CERT_MANAGER_VERSION} \
--namespace=kube-system stable/cert-manager \
--set controller.extraArgs.dns01-self-check-nameservers "8.8.8.8:53,1.1.1.1:53"

Attemp 2:

helm install \
--name cert-manager \
--version ${CERT_MANAGER_VERSION} \
--namespace=kube-system stable/cert-manager \
--set --dns01-self-check-nameservers "8.8.8.8:53,1.1.1.1:53"

Attempt 3:

helm install \
--name cert-manager \
--version ${CERT_MANAGER_VERSION} \
--namespace=kube-system stable/cert-manager \
--dns01-self-check-nameservers "8.8.8.8:53,1.1.1.1:53"

Environment details (if applicable):
cert manager version = v0.5.2
helm version

Client: &version.Version{SemVer:"v2.12.1", GitCommit:"02a47c7249b1fc6d8fd3b94e6b4babf9d818144e", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.12.1", GitCommit:"02a47c7249b1fc6d8fd3b94e6b4babf9d818144e", GitTreeState:"clean"}

GKE: 1.10.9-gke.5

/kind feature

areacmdns01 help wanted kindocumentation kinfeature prioritbacklog

Source

clintonTalli

👀1 👍1

Most helpful comment

I think you've escaped too much, --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 works for me. I can reproduce your error message when cert-manager gets to see --dns01-recursive-nameservers="8.8.8.8:53,1.1.1.1:53" You'll probably be good when you remove the double quotes. (But splitting it into two arguments seems to work as well)

HarmtH on 22 May 2019

👍2

All 6 comments

I'd love to know this as well.

zeeraw on 19 Jan 2019

@clintonTalli Ok, I figured out you can only configure the general nameservers used by the Pod if you're installing with helm.

helm install --name cert-manager \
    --namespace cert-manager \
    --set "podDnsPolicy"="None" \
    --set "podDnsConfig.nameservers[1]"="1.1.1.1" \
    --set "podDnsConfig.nameservers[2]"="8.8.8.8" \
    stable/cert-manager

I also figured out you can use the flag -dns01-self-check-nameservers "1.1.1.1,8.8.8.8" or -dns01-recursive-nameservers "1.1.1.1,8.8.8.8" if you're on the latest beta if you only need to control the servers for specifically the dns01 checks.

zeeraw on 19 Jan 2019

I think there might be a bug though where if dns01-self-check-nameservers are specified, the DNS lookup for something like service calls to letsencrypt also goes through that DNS server. Making it a bit difficult if you're running something like acme-dns.

zeeraw on 19 Jan 2019

I ran into the same issue today, and found this thread, but not the solution. After inspecting the Helm files of cert-manager, I figured out you have to do the following:

helm install \                                       
  --name cert-manager \
  --namespace cert-manager \
  --version v0.7.0 \
  --set ingressShim.defaultIssuerKind=ClusterIssuer \              
  --set ingressShim.defaultIssuerName=letsencrypt-staging-issuer \
  --set extraArgs='{--dns01-recursive-nameservers-only,--dns01-self-check-nameservers=8.8.8.8:53\,1.1.1.1:53}' \
  jetstack/cert-manager

extraArgs isn't namespaced, and expects an Array.

In Helm an array is --set with {el1,el2,el3}. Shells parse {} too, so they have to be escaped. Helm parses the ,, so the comma separating the nameservers in the 2nd array element has to be escaped from Helm.

HarmtH on 17 Apr 2019

👍2

actually dns01-recursive-nameservers is recommended and it works by using --dns01-recursive-nameservers=8.8.8.8:53 --dns01-recursive-nameservers=1.1.1.1:53

btw. both commands should be used like that and not with colons. Else it will print cert-manager "msg"="error validating options" "error"="invalid DNS server (address 8.8.8.8:53,1.1.1.1:53: too many colons in address): 8.8.8.8:53,1.1.1.1:53"