DNS01 and HTTP01 Solvers in a Single ClusterIssuer — Cert Manager

Cert Manager verifies domain ownership using either DNS01 or HTTP01 solvers. For wildcard certs, we should use DNS01 solver. But what if you need to generate an SSL/TLS certificate using HTTP01 solver alongside a DNS01 solver?

Solution: We can configure the ClusterIssuer to support both DNS01 and HTTP01 Solvers.

In this article, we will look at how we can handle both HTTP01 and DNS01 solvers in a single ClusterIssuer resource and select a solver based on DNS names. Also, we will configure the ingress resource to use different TLS secrets.

Create ClusterIssuer with HTTP01 and DNS01 solvers

Apply the following ClusterIssuer resource — kubectl apply -f clusterissuer.yaml . Replace <email> , <project_id> , <key.json> , and service_account_secret with actual values.

apiVersion: cert-manager.io/v1
  kind: ClusterIssuer
  metadata:
    name: sampleclusterissuer
  spec:
    acme:
      email: <email>
      privateKeySecretRef:
        name: letsencrypt
      server: https://acme-v02.api.letsencrypt.org/directory
      solvers:
      - dns01:
          cloudDNS:
            project: <project_id>
            serviceAccountSecretRef:
              key: <key.json>
              name: <service_account_secret>
        selector:
          dnsNames:
          - '*.app.example.com'
      - http01:
          ingress:
            class: nginx

Create a wildcard and single certificates

Apply the wildcard certificate — kubectl apply -f wildcard-cert.yaml

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-cert
spec:
  dnsNames:
  - '*.app.example.com'
  issuerRef:
    kind: ClusterIssuer
    name: sampleclusterissuer
  secretName: wildcard-cert

Apply the single certificate resource— kubectl apply -f single-cert.yaml

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: single-certificate
spec:
  dnsNames:
  - test.example.com
  issuerRef:
    kind: ClusterIssuer
    name: sampleclusterissuer
  secretName: http-cert

Configure the ingress to use the certificates

Apply the following ingress resource — kubectl apply -f ingress.yaml .

apiVersion: extensions/v1beta1
  kind: Ingress
  metadata:
    name: ingress
  spec:
    rules:
    - host: '*.app.example.com'
      http:
        paths:
        - backend:
            serviceName: <service>
            servicePort: 80
          path: /
    - host: test.example.com
      http:
        paths:
        - backend:
            serviceName: <service2>
            servicePort: 80
          path: /
    tls:
    - hosts:
      - app.example.com
      secretName: wildcard-cert
    - hosts:
      - test.example.com
      secretName: single-certificate

Verify your certificates

To verify your certificates use kubectl get certificates command and the status should be True for both the certificates. If you see the status False , then you should check the status of challenges — kubectl get challenges . Describe a challenge to know more details — kubectl describe challenge <challenge>.