Wildcard Let's Encrypt certificates with cert-manager, nginx ingress, cloudflare in kubernetes how to fix?
It looks mostly correct a couple of issues I see
challenges
keyword seems out of place in theIssuer
. Maybe it was on purpose to explain(?)# ACME DNS-01 provider configurationsdns01: providers: - name: cf-dns cloudflare: email: myimail@gmail.com # A secretKeyRef to a cloudflare api key apiKeySecretRef: name: cloudflare-api-key key: api-key.txt
Missing
kind: Issuer
line within theissuerRef
in yourCertificate
definition anddnsNames
showsplay.mydomain.com
instead of*.play.mydomain.com
(which could be the problem)apiVersion: certmanager.k8s.io/v1alpha1kind: Certificatemetadata: name: wildcard-mydomain-com namespace: defaultspec: secretName: wildcard-mydomain-com issuerRef: name: letsencrypt-prod-wildcard kind: Issuer commonName: '*.play.mydomain.com' dnsNames: - *.play.mydomain.com <== here acme: config: - dns01: provider: cf-dns domains: - '*.play.mydomain.com' - play.mydomain.com
Note : might require to first add the CAA record in DNS.
CAA record can get added into DNS zone
example :
Type Valuedevops.in CAA 0 issuewild "letsencrypt.org"
secret storing access key
kubectl create secret generic route53-secret --from-literal=secret-access-key="skjdflk4598sf/dkfj490jdfg/dlfjk59lkj"
Here sharing the example issuer.yaml
apiVersion: cert-manager.io/v1kind: Issuermetadata: name: letsencrypt-prodspec: acme: email: test123@gmail.com server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: letsencrypt-prod solvers: - selector: dnsZones: - "devops.in" dns01: route53: region: us-east-1 hostedZoneID: Z2152140EXAMPLE accessKeyID: AKIA5A5D7EXAMPLE secretAccessKeySecretRef: name: route53-secret key: secret-access-key---apiVersion: cert-manager.io/v1alpha2kind: Certificatemetadata: name: le-crtspec: secretName: tls-secret issuerRef: kind: Issuer name: letsencrypt-prod commonName: "*.devops.in" dnsNames: - "*.devops.in"