how cert manager and letsencrypt challenge works
If one creates an ingress will TLS and cert-manager is available on the cluster, it will try to generate an SSL certificate.
In order for letsencrypt server (ACME server) verify that we actually control the domain, they will verify using some kind of token challenges
There are 2 type of the resolver
DNS resolver
ACME server will check that _acme_challenge.yourdomain.com
contains TXT record with a token (token is generated by cert-manager by communicating with the ACME server)
When cert-manager is setup using DNS-01. It should have ability to create a new DNS record. For example using Azure DNS. Once a ssl certificate was requested, it will create that TXT record. and once letsencrypt verify it will store the certificate on a secret
HTTP resolver
This type of resolver checks a token by providing an HTTP endpoint.
with HTTP-01 challenge, cert-manager will create an ingress that and a pod that serve the token
for example
this should serve http://yourdomain.com//.well-known/acme-challenge/3AEp9usn1kG261SOfOkJYHuVzga6VS0aD14PiUjPtK8
ACME server will call this endpoint and check that the response match the token.
Last updated