I have Cloudflare DNS for manage my domain. I created an A-record *.play.mydomain.com in Cloudflare.
In Kubernetes (GKE) I created Issuer
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-prod-wildcard
namespace: default
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
#server: https://acme-v02.api.letsencrypt.org/directory
email: myemain@gmail.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod-wildcard
# ACME DNS-01 provider configurations
dns01:
challenges
providers:
- name: cf-dns
cloudflare:
email: myimail@gmail.com
# A secretKeyRef to a cloudflare api key
apiKeySecretRef:
name: cloudflare-api-key
key: api-key.txt
And I created secrets for cloudflare (cloudflare-api-key)
Also I created wildcard-certificate:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: wildcard-mydomain-com
namespace: default
spec:
secretName: wildcard-mydomain-com
issuerRef:
#name: letsencrypt-staging-wildcard
name: letsencrypt-prod-wildcard
commonName: '*.play.mydomain.com'
dnsNames:
- play.mydomain.com
acme:
config:
- dns01:
provider: cf-dns
domains:
- '*.play.mydomain.com'
- play.mydomain.com
Certificate generated successfully.
Status:
Conditions:
Last Transition Time: 2019-04-13T00:49:00Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2019-07-11T23:48:57Z
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Generated 4m5s cert-manager Generated new private key
Normal GenerateSelfSigned 4m5s cert-manager Generated temporary self signed certificate
Normal OrderCreated 4m5s cert-manager Created Order resource "wildcard-mydomain-com-880037411"
Normal OrderComplete 84s cert-manager Order "wildcard-mydomain-com-880037411" completed successfully
Normal CertIssued 84s cert-manager Certificate issued successfully
But in logs cert-manager I see an error:
2019-04-13 04:49:00.078 GET
orders controller: Re-queuing item "default/wildcard-mydomain-com-880037411" due to error processing: challenges.certmanager.k8s.io "wildcard-mydomain-com-880037411-1" not found
Also I have an ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-mydomain-com
annotations:
kubernetes.io/ingress.class: nginx
certmanager.k8s.io/issuer: letsencrypt-prod-wildcard
certmanager.k8s.io/acme-challenge-type: "dns01"
kubernetes.io/tls-acme: "true"
spec:
tls:
- secretName: letsencrypt-prod-secret-playground
hosts:
- '*.play.mydomain.com'
rules:
- host: '*.play.mydomain.com'
http:
paths:
- backend:
serviceName: playground
servicePort: 83
And an error in logs (after run ingress):
2019-04-13 04:51:17.225 GET
orders controller: Re-queuing item "default/letsencrypt-prod-secret-playground-2579012660" due to error processing: Error constructing Challenge resource for Authorization: ACME server does not allow selected challenge type or no provider is configured for domain "play.mydomain.com"
How I can use wildcard certificates Let's Encrypt with cert-manager, nginx ingress, cloudflare in kubernetes?
I'd like to have ingress and launch many subdomains ([randomstring].play.mydomain.com).
It looks mostly correct a couple of issues I see
challenges
keyword seems out of place in the Issuer
. Maybe it was on purpose to explain(?)
# ACME DNS-01 provider configurations
dns01:
providers:
- name: cf-dns
cloudflare:
email: myimail@gmail.com
# A secretKeyRef to a cloudflare api key
apiKeySecretRef:
name: cloudflare-api-key
key: api-key.txt
Missing kind: Issuer
line within the issuerRef
in your Certificate
definition and dnsNames
shows play.mydomain.com
instead of *.play.mydomain.com
(which could be the problem)
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: wildcard-mydomain-com
namespace: default
spec:
secretName: wildcard-mydomain-com
issuerRef:
name: letsencrypt-prod-wildcard
kind: Issuer
commonName: '*.play.mydomain.com'
dnsNames:
- *.play.mydomain.com <== here
acme:
config:
- dns01:
provider: cf-dns
domains:
- '*.play.mydomain.com'
- play.mydomain.com