gke cert manager certificate in progress

11/28/2019

Im trying to make my google services more secure by moving from http to https. I've been follwing the cert-manager documentation to get it working.

https://cert-manager.io/docs/configuration/acme/dns01/google/

I can't install helm on the cluster nor nginx ingress that's why im using the dns01 challenge instead of the http01.

I installed cert-manager with regular manifests v0.11.0.

After creating a dns admin service account, i used this yaml to create the issuer :

apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: example-issuer
spec:
  acme:
    email: email@gmail.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource used to store the account's private key.
      name: example-issuer-account-key
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
      - dns01:
          clouddns:
            project: my-project-id
            # This is the secret used to access the service account
            serviceAccountSecretRef:
              name: clouddns-dns01-solver-svc-acct
              key: key.json

and my certificate object :

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: example-com
  namespace: default
spec:
  secretName: example-com-tls
  issuerRef:
    # The issuer created previously
    name: example-issuer
  commonName: my-domain.com
  dnsNames:
    - my-domain.com
    - www.my-domain.com

After applying these files, i had this results :

$ kubectl describe issuer
Name:         example-issuer
Namespace:    default
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"cert-manager.io/v1alpha2","kind":"Issuer","metadata":{"annotations":{},"name":"example-issuer","namespace":"default"},"spec...
API Version:  cert-manager.io/v1alpha2
Kind:         Issuer
Metadata:
  Creation Timestamp:  2019-11-28T15:00:33Z
  Generation:          1
  Resource Version:    306180
  Self Link:           /apis/cert-manager.io/v1alpha2/namespaces/default/issuers/example-issuer
  UID:                 d3d1f66e-11ef-11ea-856a-42010a8401a2
Spec:
  Acme:
    Email:  email@gmail.com
    Private Key Secret Ref:
      Name:  example-issuer-account-key
    Server:  https://acme-staging-v02.api.letsencrypt.org/directory
    Solvers:
      dns01:
        Clouddns:
          Project:  my-project-id
          Service Account Secret Ref:
            Key:   key.json
            Name:  clouddns-dns01-solver-svc-acct
Status:
  Acme:
    Last Registered Email:  email@gmail.com
    Uri:                    https://acme-staging-v02.api.letsencrypt.org/acme/acct/11671464
  Conditions:
    Last Transition Time:  2019-11-28T15:00:34Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

$ kubectl get certificates -o wide
NAME          READY   SECRET            ISSUER           STATUS                                                                AGE
example-com   False   example-com-tls   example-issuer   Waiting for CertificateRequest "example-com-1030278725" to complete   49m

$ kubectl get CertificateRequest -o wide
NAME                     READY   ISSUER           STATUS                                                                                            AGE
example-com-1030278725   False   example-issuer   Waiting on certificate issuance from order default/example-com-1030278725-1017944607: "pending"   50m
-- Amdouni Mohamed Ali
cert-manager
google-cloud-platform
google-kubernetes-engine
lets-encrypt
ssl

1 Answer

11/29/2019

The problem is that you are trying to complete DNS01 challenges for a domain managed by Google Domains DNS Servers. This is not possible at this time.

Google Domains DNS is not Google Cloud DNS. You cannot use Cert Manager for automatic DNS01 challenges with Google Domains. There is no API to setup TXT records in Google Domains. There is a supported API for Cert Manager for Google Cloud DNS.

My recommendation: move your domain's DNS servers to Cloud DNS.

-- John Hanley
Source: StackOverflow