DNS01 and HTTP01 Solvers in a Single ClusterIssuer — Cert Manager

Cert Manager verifies domain ownership using either DNS01 or HTTP01 solvers. For wildcard certs, we should use DNS01 solver. But what if you need to generate an SSL/TLS certificate using HTTP01 solver alongside a DNS01 solver?

Solution: We can configure the ClusterIssuer to support both DNS01 and HTTP01 Solvers.

In this article, we will look at how we can handle both HTTP01 and DNS01 solvers in a single ClusterIssuer resource and select a solver based on DNS names. Also, we will configure the ingress resource to use different TLS secrets.

Create ClusterIssuer with HTTP01 and DNS01 solvers

Apply the following ClusterIssuer resource — kubectl apply -f clusterissuer.yaml . Replace <email> , <project_id> , <key.json> , and service_account_secret with actual values.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: sampleclusterissuer
spec:
acme:
email: <email>
privateKeySecretRef:
name: letsencrypt
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- dns01:
cloudDNS:
project: <project_id>
serviceAccountSecretRef:
key: <key.json>
name: <service_account_secret>
selector:
dnsNames:
- '*.app.example.com'
- http01:
ingress:
class: nginx

Create a wildcard and single certificates

Apply the wildcard certificate — kubectl apply -f wildcard-cert.yaml

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-cert
spec:
dnsNames:
- '*.app.example.com'
issuerRef:
kind: ClusterIssuer
name: sampleclusterissuer
secretName: wildcard-cert

Apply the single certificate resource— kubectl apply -f single-cert.yaml

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: single-certificate
spec:
dnsNames:
- test.example.com
issuerRef:
kind: ClusterIssuer
name: sampleclusterissuer
secretName: http-cert

Configure the ingress to use the certificates

Apply the following ingress resource — kubectl apply -f ingress.yaml .

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
spec:
rules:
- host: '*.app.example.com'
http:
paths:
- backend:
serviceName: <service>
servicePort: 80
path: /
- host: test.example.com
http:
paths:
- backend:
serviceName: <service2>
servicePort: 80
path: /
tls:
- hosts:
- app.example.com
secretName: wildcard-cert
- hosts:
- test.example.com
secretName: single-certificate

Verify your certificates

To verify your certificates use kubectl get certificates command and the status should be True for both the certificates. If you see the status False , then you should check the status of challenges — kubectl get challenges . Describe a challenge to know more details — kubectl describe challenge <challenge>.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store