Configures a bind9 DNS server to receive RFC2136-compliant zone updates from kubernetes cert-manager for the DNS01 challenge to receive wildcard certificates on a domain.
- Generate a TSIG key
tsig-keygen -a hmac-sha256
- Adjust the bind9 configuration
key "letsencrypt" {
algorithm hmac-sha256;
secret "{{ abcdef-base64-key== }}";
};
zone "example.org" IN {
type master;
file "example.org.db";
update-policy {
grant letsencrypt subdomain example.org. TXT; # for _acme-challenge.*.example.org
}
}
- Make sure that bind9 can create the file
example.org.db.jnl to store the dynamic records. (Usually requires to set permissions chown -R bind:bind /etc/bind/ && chmod u+wx /etc/bind).
- Test that bind9 accepts zone updates
nsupdate <<EOF
server 127.0.0.1 53
key hmac-sha256:letsencrypt abcdef-base64-key==
class IN
update del _acme-challenge.subdomain.example.org 1 TXT
show
send
EOF
dig -t TXT @127.0.0.1 _acme-challenge.subdomain.example.org
- Configure Kubernetes Certmanager
apiVersion: v1
kind: Secret
metadata:
name: secret.letsencrypt-tsig01
type: Opaque
stringData:
tsig: abcdef-base64-key==
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: issuer.default-staging02
spec:
acme:
email: viah_info@leadec-services.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: issuer-private-key.default-staging01
solvers:
- dns01:
rfc2136:
nameserver: ingress01.internal.eu01.leadec-ic.com
tsigKeyName: letsencrypt
tsigAlgorithm: HMACSHA256
tsigSecretSecretRef:
name: secret.letsencrypt-tsig01
key: tsig
- Query a certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: certificate.dns01-test01
spec:
commonName: "*.subdomain.example.org"
secretName: tls.dns01-test01
dnsNames:
- "*.subdomain.example.org"
issuerRef:
kind: ClusterIssuer
name: issuer.default-staging02