Question

Godaddy DNS Record copy for Kubernetes Certmanager

Posted April 4, 2021 118 views
Kubernetes

I’ve been trying to get Cert Manager working on Kubernetes. After having countless issues with ingress and HTTP01 challenges (I ran into this issue : https://stackoverflow.com/questions/61797014/error-broken-header-get-well-known-acme-challeng-with-letsencrypt-on-kuberna) , It looks like the next step is to try DNS01 resolution instead of HTTP .

I tried changing to the digialocean supported DNS resolution , but now came across the challenge failing via multiple cases of the following :

cert-manager Error presenting challenge: GET https://api.digitalocean.com/v2/domains/gapcm.com/records: 404 (request “419c6f10-c4b2-4281-a0f3-341e9eb3fb80”) Resource not found

My Domain is bought from and DNS records with Godaddy . It looks like I’d need to at that point find a Godaddy specific DNS01 Challenge Resolution method (Which isn’t supported by Cert-manager https://github.com/jetstack/cert-manager/issues/1083 , so probably not) or it seems like I’d need to transfer DNS records (And I assume the Domain Services itself) to digitalocean , which is also a probably not (Because our company has many Domans and Email services through godaddy) .

Can someone confirm this to me, or let me know if there’s a way to fix any of the above issues. Ideally HTTP01 would just work . I shouldn’t have to have 200+ (not an overstatement) tabs of research and 6+ straight days of debugging to migrate my docker-compose app to Kubuernetes .

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers

Thanks nabsul for your answer! I actually (FINALLY) ended up fixing the issues and seeing a working HTTPS page on my app. Ultimately, This page was the lifesaver :

https://github.com/jetstack/cert-manager/issues/466

A few things to note, First was the comment “Unfortunately the DNS01 challenge is broken for DigitalOcean in 0.7.0 (and based on my testing in 0.6.0 as well) so HTTP01 is a must for DO.”

Whereas one answer said to abandon HTTP and use DNS, Another says DNS is broken on digitalocean so HTTP is required. Talk about confusing!

The 2nd is the answer towards the bottom by compumike , who references his https://github.com/compumike/hairpin-proxy . It’s a one-line kubectl apply install, and describes the issue in detail and the relatively simple fix for it. With ingress-nginx and certmanager, “It Just Works” out of the box, and was the final piece of the puzzle that I’d spent over 24 hours on (Trying to get ingress and certmanager to work).

Please Raise Awareness for this issue for anyone else struggling.

PS : There was another answer under compumike’s by KeksBeskvitovich that looks like it said there’s an annotation you can add to the ingress controller service (service.beta.kubernetes.io/do-loadbalancer-hostname : https://github.com/digitalocean/digitalocean-cloud-controller-manager/blob/master/docs/controllers/services/annotations.md#servicebetakubernetesiodo-loadbalancer-hostname) , that may be a simpler and more official answer as a digitalocean specific annotation, but I haven’t tried this.

I was also disappointed by cert-manager last year and the lack of support when things go wrong. To be fair, it is free software ¯_(ツ)_/¯

This took me down a road to eliminate the need for cert-manager altogether. I first learned how to manually issue certs, then I built my own tool with aim of being simpler and more reliable than cert-manager:

https://nabeel.blog/2020/10/23/k8s-letsencrypt-manual
https://nabeel.blog/2021/02/06/kcert
https://nabeel.blog/2021/03/21/kcert-release

So far I’m the only person using it, but if you’re willing to experiment I’d be happy to help you use it, fix any bugs, and hopefully improve it for others.