Cert-manager: Empty/wrong fields in ChallengeRequest resource

Created on 14 May 2019 · 7Comments · Source: jetstack/cert-manager

Describe the bug:
I'm trying to connect the cert-manager to my own DNS-solver using the webhook issuer. The received ChallengeRequest resource has two problems:

the field DNSName is always empty
the field Config does actually not contain the config specified in the issuer, but instead the complete ACMEIssuerDNS01ProviderWebhook object (which contains the config). This makes unmarshalling it (as intended here) impossible.

Expected behaviour:

DNSName contains the DNS name, as specified in the Certificate resource
Config contains only the config and not the surrounding construct

Steps to reproduce the bug:
Implement https://github.com/jetstack/cert-manager-webhook-example

In https://github.com/jetstack/cert-manager-webhook-example/blob/master/main.go

in Present and Cleanup functions, ch.DNSName will be empty
modify loadConfig to unmarshall into a map[string]interface{}, then it becomes visible that ch.Config actually contains the construct surrounding the config instead of the config itself

Anything else we need to know?:

Environment details::

cert-manager version v0.8.0-beta.0
Install method: helm chart

/kind bug

kinbug

Source

Diaphteiros

All 7 comments

Supposedly fixed by https://github.com/jetstack/cert-manager/pull/1675

Diaphteiros on 14 May 2019

Thanks for digging into this and the report 😄 I think our current e2e tests don't actually make use of the config field at all, hence why we've not seen this sooner.

I'm going to modify our e2e pipeline to utilise this config field which should hopefully prevent this happening in future.

Also, whilst the DNSName field should obviously be set, I will also note that you most likely want to use the ResolvedFQDN field instead of DNSName, as the DNSName is (as you say) what is specified in the Certificate, and not the actual record name that needs the TXT record setting 😄

munnerz on 14 May 2019

I actually use the ResolvedFQDN field for setting the TXT entry and only noticed the missing DNSName because I wanted to use it for debug log outputs :-)

Diaphteiros on 14 May 2019

👍1

Thanks for the fast response!

Diaphteiros on 14 May 2019

I'm interested in using the ACMEIssuerDNS01ProviderWebhook, but I haven't found any feasible documentation. Can I find it anywhere?

juliohm1978 on 25 Nov 2019

@juliohm1978 What exactly do you want to do? If you want to connect the cert-manager to your own DNS-solver, you have to implement this template: https://github.com/jetstack/cert-manager-webhook-example
I don't know if there is detailed documentation for this, but I can point you to a working implementation I did some time ago: https://github.com/gardener/certificate-dns-bridge
It is pretty simple - it reacts to requests from the cert-manager by creating a custom resource called DNSEntry. That resource is then picked up by another controller which creates the DNS entry for the challenge.

Diaphteiros on 26 Nov 2019

👍1

Thank you, that's exactly what I needed. A working example.

This is perfect to implement challenges for unsupported dns providers. A couple of questions come to mind, though.

Would it be possible for the webhook server to be running outside the cluster?

Can cert-manager authenticate, or is the webhook server wide open to anyone sending requests to it? That would be a blocking security concern.

It would also be nice to have the webhook solver defined as a service, instead of implemented directly in Go. If we have the specs for the HTTPS/JSON protocol, I can implement the server in any language or platform.

juliohm1978 on 26 Nov 2019

Was this page helpful?

0 / 5 - 0 ratings