aellwein / cert-manager-webhook-netcup Goto Github PK
View Code? Open in Web Editor NEWcert-manager webhook implementation for use with Netcup provider
License: Apache License 2.0
cert-manager webhook implementation for use with Netcup provider
License: Apache License 2.0
Hi there!
First of all: thanks Alex for such a great component, it has been very helpful for me :-)
I have been using this webhook for the last year (every single version of it) along with cert-manager 1.9.1 at different cloud providers (managed and self-managed) and has always worked perfectly.
Sadly, since last release(1.0.16), new provisioned clusters(at every provider) are getting an error when presenting the DNS challenge to Netcup, more precisely, describing the Challenge object outputs:
Error presenting challenge: unable to login to netcup API: Post "https://ccp.netcup.net/run/webservice/servers/endpoint.php?JSON": tls: failed to verify certificate: x509: certificate signed by unknown authority
What I've tried without success:
What I've tried with success:
So, it looks like everything points at this new release.
Please tell me if I can support you with further testing of this issue.
Again, thanks a lot for your precious time!
I created the following ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: netcup-issuer
namespace: certmanager-system
spec:
acme:
email: [email protected]
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: netcup-le-secret
solvers:
- dns01:
webhook:
groupName: com.netcup.webhook
solverName: netcup
config:
secretRef: netcup-secret
secretNamespace: certmanager-system
But when requesting a certificate I get the following error:
cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="netcup.com.netcup.webhook is forbidden: User \"system:serviceaccount:certmanager-system:certmanager-cert-manager\" cannot create resource \"netcup\" in API group \"com.netcup.webhook\" at the cluster scope" "key"="longhorn-system/cm-storage-tls-jn5t9-848227378-862895558"
I installed with the following commands:
helm repo add cert-manager-webhook-netcup https://aellwein.github.io/cert-manager-webhook-netcup/charts/
helm install cert-manager-webhook-netcup cert-manager-webhook-netcup/cert-manager-webhook-netcup --namespace certmanager-system
The name from the install comand differs from the example in the readme
i own a domain example.com
.
In an Ingress i'd like to run the DNS01 Challenge for a host *.app.example.com
.
When i do this, the netcup webhook isn't able to find the resource app.example.com
since i only have example.com
.
Is there a specific workflow for this?
Currently this is published on dockerhub only, would it be possible to publish a container image on ghcr as well?
try to get a certificate based on my netcup domain. Unfortunally it fails as found in cert-manager pod log
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kube-mydomain-net-cert
namespace: cert-manager
spec:
commonName: 'kube.mydomain.net'
secretName: kube-mydomain-net-cert
dnsNames:
- 'kube.mydomain.net'
- '*.kube.mydomain.net'
issuerRef:
name: letsencrypt-staging-netcup
kind: ClusterIssuer
But it will not fullfill the certificate request. I know i have to wat about 10min to propagate, but its still pending also for a day.
I0524 18:35:21.307621 1 dns.go:88] cert-manager/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="kube.mydomain.net" "domain"="kube.mydomain.net" "resource_kind"="Challenge" "resource_name"="kube-mydomain-net-cert-g47p8-752194941-2691253898" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01" E0524 18:35:21.432257 1 controller.go:166] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="unable to parse host/domain out of resolved FQDN ('_acme-challenge.kube.mydomain.net.')" "key"="cert-manager/kube-mydomain-net-cert-g47p8-752194941-2691253898"
a query with dig provides the soa entry set to define, wihich domain is authorative
dig @root-dns.netcup.net _acme-challenge.pvekube.tdressler.net. soa txt
;; Warning, extra type option
; <<>> DiG 9.16.1-Ubuntu <<>> @root-dns.netcup.net _acme-challenge.kube.mydomain.net. soa txt
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22304
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2585cb374e444deff7dc9acf628d289675d83ae79e8368ec (good)
;; QUESTION SECTION:
;_acme-challenge.kube.mydomain.net. IN TXT
;; AUTHORITY SECTION:
mydomain.net. 86400 IN SOA root-dns.netcup.net. dnsadmin.netcup.net. 2022052356 28800 7200 1209600 86400
subdomain kube doesnt exists, but other providers (like hetzner) are still greating an "_acme-challenge.kube" TXT record in mydomain
looking into the webhook code the mentioned dnsName '_acme-challenge.kube.mydomain.net.
matches the regexp which triggers this message using a regexp tester
Maybe this line below is the problem?
if match != nil {
should be
if match == nil {
Hi and thank you for your work on this helm-chart. That's exactly what I need. When I execute
"helm install my-cert-manager-webhook-netcup cert-manager-webhook-netcup/cert-manager-webhook-netcup --namespace cert-manager",
I get the error-message "* Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://cert-manager-webhook.cert-manager.svc:443/validate?timeout=30s": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-06-03T05:12:52Z is after 2024-06-01T09:43:35Z"
What can be done to fix this?
Thank you very much!
Best regards,
Hendrik
Originally posted by @DerKnerd in cert-manager/cert-manager#4885 (comment)
Could you maybe extend it to support DNS records which are configured via
*
?
@DerKnerd Of course. I will test it, but i need to do modify my configuration first. Please stay tuned ;-)
See this discussion for details.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.