Preventing cert-manager from attempting DNS01 challenges using rewritten domains instead of ingress domains #3749
Unanswered
AlbinoDrought
asked this question in
Q&A
Replies: 2 comments
-
Can we consider this an issue? |
Beta Was this translation helpful? Give feedback.
0 replies
-
For what it's worth, we experience the same issue (just with a different DNS provider - IONOS in our case). |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello, I'm encountering an issue that is resulting from a combination of cert-manager and my CoreDNS config. (See also compumike/hairpin-proxy#10 )
This issue can be reproduced by:
www.example.com
www.example.com
to a cluster-local address in your CoreDNS config, likerewrite name www.example.com com-example-prod-web.com-example.svc.cluster.local
cluster.local
instead ofexample.com
. At least for the DigitalOcean provider, this fails (we don't controlcluster.local
) and the certificate can't be renewedOutput of
dig www.example.com -t A
:Output of
dig www.example.com -t SOA
:It appears that the translation may happen here:
I see at least a few ways to workaround this:
Anybody else experience this, and if so, best resolution?
Beta Was this translation helpful? Give feedback.
All reactions