how cert manager and letsencrypt challenge works
If one creates an ingress will TLS and cert-manager is available on the cluster, it will try to generate an SSL certificate.
In order for letsencrypt server (ACME server) verify that we actually control the domain, they will verify using some kind of token challenges
There are 2 type of the resolver
ACME server will check that
_acme_challenge.yourdomain.com contains TXT record with a token (token is generated by cert-manager by communicating with the ACME server)When cert-manager is setup using DNS-01. It should have ability to create a new DNS record. For example using Azure DNS. Once a ssl certificate was requested, it will create that TXT record. and once letsencrypt verify it will store the certificate on a secret
HTTP resolver
This type of resolver checks a token by providing an HTTP endpoint.
with HTTP-01 challenge, cert-manager will create an ingress that and a pod that serve the token
for example
❯ kubectl describe ingress cm-acme-http-solver-sc8p9
Name: cm-acme-http-solver-sc8p9
Namespace: foo
Address: 1.222.333.444
Default backend: default-http-backend:80
Rules:
Host Path Backends
---- ---- --------
accord.shell.com
/.well-known/acme-challenge/3AEp9usn1kG261SOfOkJYHuVzga6VS0aD14PiUjPtK8 cm-acme-http-solver-gvmqg:8089 (1.22.33.44:8089)
Annotations: nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0,::/0
this should serve
http://yourdomain.com//.well-known/acme-challenge/3AEp9usn1kG261SOfOkJYHuVzga6VS0aD14PiUjPtK8 ACME server will call this endpoint and check that the response match the token.
Last modified 1yr ago