Im trying to make my google services more secure by moving from http to https. I've been follwing the cert-manager documentation to get it working.
https://cert-manager.io/docs/configuration/acme/dns01/google/
I can't install helm on the cluster nor nginx ingress that's why im using the dns01 challenge instead of the http01.
I installed cert-manager with regular manifests v0.11.0.
After creating a dns admin service account, i used this yaml to create the issuer :
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: example-issuer
spec:
acme:
email: email@gmail.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource used to store the account's private key.
name: example-issuer-account-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- dns01:
clouddns:
project: my-project-id
# This is the secret used to access the service account
serviceAccountSecretRef:
name: clouddns-dns01-solver-svc-acct
key: key.json
and my certificate object :
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: example-com
namespace: default
spec:
secretName: example-com-tls
issuerRef:
# The issuer created previously
name: example-issuer
commonName: my-domain.com
dnsNames:
- my-domain.com
- www.my-domain.com
After applying these files, i had this results :
$ kubectl describe issuer
Name: example-issuer
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"cert-manager.io/v1alpha2","kind":"Issuer","metadata":{"annotations":{},"name":"example-issuer","namespace":"default"},"spec...
API Version: cert-manager.io/v1alpha2
Kind: Issuer
Metadata:
Creation Timestamp: 2019-11-28T15:00:33Z
Generation: 1
Resource Version: 306180
Self Link: /apis/cert-manager.io/v1alpha2/namespaces/default/issuers/example-issuer
UID: d3d1f66e-11ef-11ea-856a-42010a8401a2
Spec:
Acme:
Email: email@gmail.com
Private Key Secret Ref:
Name: example-issuer-account-key
Server: https://acme-staging-v02.api.letsencrypt.org/directory
Solvers:
dns01:
Clouddns:
Project: my-project-id
Service Account Secret Ref:
Key: key.json
Name: clouddns-dns01-solver-svc-acct
Status:
Acme:
Last Registered Email: email@gmail.com
Uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/11671464
Conditions:
Last Transition Time: 2019-11-28T15:00:34Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
$ kubectl get certificates -o wide
NAME READY SECRET ISSUER STATUS AGE
example-com False example-com-tls example-issuer Waiting for CertificateRequest "example-com-1030278725" to complete 49m
$ kubectl get CertificateRequest -o wide
NAME READY ISSUER STATUS AGE
example-com-1030278725 False example-issuer Waiting on certificate issuance from order default/example-com-1030278725-1017944607: "pending" 50m
The problem is that you are trying to complete DNS01 challenges for a domain managed by Google Domains DNS Servers. This is not possible at this time.
Google Domains DNS is not Google Cloud DNS. You cannot use Cert Manager for automatic DNS01 challenges with Google Domains. There is no API to setup TXT records in Google Domains. There is a supported API for Cert Manager for Google Cloud DNS.
My recommendation: move your domain's DNS servers to Cloud DNS.