0

I am running a small K3S cluster and I use Cert-Manager to issue Let's Encrypt certificates to the applications running in my cluster.

The cluster was installed via Ansible and the initial generation of certificates worked fine, but for some odd reason Cert-Manager will not renew the certificates?

A quick reference: Main main domain is molgaard.eu, which hosted by Simply.com.

The cluster resides at home.molgaard.eu, which is a subdomain that is not accessible from the Internet, hence in order issue Let's Encrypt certificates on the form: (something).home.molgaard.eu I need make sure Cert-Manager uses dns01 during renewal.

This is all handled by the following Ansible task:

- name: Create Lets Encrypt ClusterIssuer
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: cert-manager.io/v1
      kind: ClusterIssuer
      metadata:
        name: letsencrypt-prod
      spec:
        acme:
          email: *** REDACTED ***
          server: https://acme-v02.api.letsencrypt.org/directory
          privateKeySecretRef:
            name: letsencrypt-prod-private-key
          solvers:
            - dns01:
                webhook:
                  groupName: com.github.runnerm.cert-manager-simply-webhook
                  solverName: simply-dns-solver
                  config:
                    secretName: simply-credentials
              selector:
                dnsZones:
                  - molgaard.eu

This part worked fine when I created the cluster, but when renewal came around, something went apparently wrong:

Here is what happens when I try to debug the challenge created for the renewal the certificate for unifi.home.molgaard.eu.

The relevant excerpt from kubectl get challenges unifi-tls-2-3236526805-1144319786 -ojson is as follows:

    "status": {
        "presented": false,
        "processing": true,
        "reason": "When querying the SOA record for the domain '_acme-challenge.unifi.home.molgaard.eu.' using nameservers [8.8.8.8:53 1.1.1.1:53], rcode was expected to be 'NOERROR' or 'NXDOMAIN', but I got 'SERVFAIL'",
        "state": "pending"
    }

I know it is DNS related and I would expect that when asking for SOA, it would point towards the DNS servers hosted by Simply.com?

Searching a bit online I do find a discussion about cert-manager having issues with SOA lookups, but I do not know if it is applicable for my issue?

Lasse Michael Mølgaard
  • 1,293

0 Answers0