To setup a wildcard certificate with let’s encrypt it’s necessary to use a DNS01 challenge as opposed to the simpler HTTP01 challenge.
This becomes a…. Challenge! because it requires support from your DNS provider, luckily
dnsimple have api support for this and there is a web hook helm chart to get it up and running.
The cert-manager-webhook-dnsimple project let’s you set this up automatically, this will avoid any problems with an expired dns since it will renew itself automatically as long as the setup keeps working. At the moment of configuring it up, sadly I found a few issues myself, here are the details:
I setup an ingress to generate the certificate (as opposed to the example in the webhook project)
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" ingress.kubernetes.io/secure-backends: "true" cert-manager.io/cluster-issuer: labels: chart: "-" release: "" heritage: "" spec: rules: - host: '*.emailpref.com' http: paths: - path: / backend: serviceName: wizzy servicePort: http tls: - hosts: - '*.emailpref.com' - emailpref.com secretName: pewpew-cert # < cert-manager will store the created certificate in this secret.
This generated automatically the certificate, certificate request and certificate challenges, checking them out helped me debug the issue very well
kubectl get cert kubectl describe cert kubectl get certificaterequests kubectl describe certificaterequests kubectl get challenges kubectl describe challenges
At this point I got an important error, the dns was not able to read the TXT challenge from
dnsimple, these tools help me greatly on debugging that:
letsdebug.net It’s a website where it checks if your domain is setup properly to be verified by let’s encrypt.
crt.sh Here you can check the certificates that have been requested for your domain
Another guide that should help on debugging is here
Configuring properly DNSSEC did the deal, after that the letsdebug.net tool gave me the thumbs up and all started working properly.