To setup a wildcard certificate with let’s encrypt it’s necessary to use a DNS01 challenge as opposed to the simpler HTTP01 challenge.
This becomes a…. Challenge! because it requires support from your DNS provider, luckily dnsimple
have api support for this and there is a web hook helm chart to get it up and running.
The cert-manager-webhook-dnsimple project let’s you set this up automatically, this will avoid any problems with an expired dns since it will renew itself automatically as long as the setup keeps working. At the moment of configuring it up, sadly I found a few issues myself, here are the details:
Ingress setup
I setup an ingress to generate the certificate (as opposed to the example in the webhook project)
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name:
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/secure-backends: "true"
cert-manager.io/cluster-issuer:
labels:
chart: "-"
release: ""
heritage: ""
spec:
rules:
- host: '*.emailpref.com'
http:
paths:
- path: /
backend:
serviceName: wizzy
servicePort: http
tls:
- hosts:
- '*.emailpref.com'
- emailpref.com
secretName: pewpew-cert # < cert-manager will store the created certificate in this secret.
Certificate Generation
This generated automatically the certificate, certificate request and certificate challenges, checking them out helped me debug the issue very well
kubectl get cert
kubectl describe cert
kubectl get certificaterequests
kubectl describe certificaterequests
kubectl get challenges
kubectl describe challenges
Errors!
At this point I got an important error, the dns was not able to read the TXT challenge from dnsimple
, these tools help me greatly on debugging that:
letsdebug.net It’s a website where it checks if your domain is setup properly to be verified by let’s encrypt.
crt.sh Here you can check the certificates that have been requested for your domain
Another guide that should help on debugging is here
DNSSEC
Configuring properly DNSSEC did the deal, after that the letsdebug.net tool gave me the thumbs up and all started working properly.