changing cert-manager validation from http to dns

11/18/2019

I am using cert-manager with acme client in a kubernetes cluster to be issued certificate by lets encrypt. For validation we have already used http01 and everything works fine. The cluster is hosted on Azure and using Azure DNS for the domain. Now we realize, dns based validation is best suited for our situation so I've updated the ClusterIssuer to use dns01 validation in a test env with proper azuredns information as guided in cert-manager docs. In my case roughly, IaC pipeline creates the underling Azure hosting infrastructure including cert-manager, clusterissuer, nginx-ingress-portal and deploy pipeline deploys the app (Keycloak) and ingress. After the changes in clusterissuer, both the pipelines succeed without errors. Here is some log from cert-manage:

I1118 20:26:37.348920       1 controller.go:129] cert-manager/controller/certificates "level"=0 "msg"="syncing item" "key"="default/tls-keycloak"
I1118 20:26:37.349713       1 util.go:162] cert-manager/controller/certificates "level"=0 "msg"="certificate scheduled for renewal" "duration_until_renewal"="1326h49m12.650326282s" "related_resource_kind"="Secret" "related_resource_name"="tls-keycloak" "related_resource_namespace"="default" "resource_kind"="Certificate" "resource_name"="tls-keycloak" "resource_namespace"="default"
I1118 20:26:37.349773       1 sync.go:303] cert-manager/controller/certificates "level"=0 "msg"="certificate does not require re-issuance. certificate renewal scheduled near expiry time." "related_resource_kind"="Secret" "related_resource_name"="tls-keycloak" "related_resource_namespace"="default" "resource_kind"="Certificate" "resource_name"="tls-keycloak" "resource_namespace"="default"
I1118 20:26:37.350088       1 controller.go:135] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="default/tls-keycloak"
I1118 20:27:29.161463       1 controller.go:129] cert-manager/controller/ingress-shim "level"=0 "msg"="syncing item" "key"="default/keycloak"
I1118 20:27:29.161828       1 sync.go:163] cert-manager/controller/ingress-shim "level"=0 "msg"="certificate already exists for ingress resource, ensuring it is up to date" "related_resource_kind"="Certificate" "related_resource_name"="tls-keycloak" "related_resource_namespace"="default" "resource_kind"="Ingress" "resource_name"="keycloak" "resource_namespace"="default"
I1118 20:27:29.162147       1 sync.go:176] cert-manager/controller/ingress-shim "level"=0 "msg"="certificate resource is already up to date for ingress" "related_resource_kind"="Certificate" "related_resource_name"="tls-keycloak" "related_resource_namespace"="default" "resource_kind"="Ingress" "resource_name"="keycloak" "resource_namespace"="default"
I1118 20:27:29.162465       1 controller.go:135] cert-manager/controller/ingress-shim "level"=0 "msg"="finished processing work item" "key"="default/keycloak"

Now I want to ensure the dns validation is actually working / will surely work when the renewal time comes. To trigger the revalidation process, I've tried recreating certificate, nginx, nginx-ingress, cert-manager but still getting similar logs (as mentioned above). I feel if I recreate the whole cluster (with a new public IP) - things might work with dns validation but I don't want to do that as with our other existing cluster, we want to apply the same dns validation without cluster recreation. I appreciate any kind idea / help if I am missing something.

-- Tonmoy
cert-manager
kubernetes
kubernetes-ingress
lets-encrypt
nginx-ingress

0 Answers