how cert manager and letsencrypt challenge works

If one creates an ingress will TLS and cert-manager is available on the cluster, it will try to generate an SSL certificate.

In order for letsencrypt server (ACME server) verify that we actually control the domain, they will verify using some kind of token challenges

There are 2 type of the resolver

DNS resolver

ACME server will check that _acme_challenge.yourdomain.com contains TXT record with a token (token is generated by cert-manager by communicating with the ACME server)

When cert-manager is setup using DNS-01. It should have ability to create a new DNS record. For example using Azure DNS. Once a ssl certificate was requested, it will create that TXT record. and once letsencrypt verify it will store the certificate on a secret

HTTP resolver

This type of resolver checks a token by providing an HTTP endpoint.

with HTTP-01 challenge, cert-manager will create an ingress that and a pod that serve the token

for example

❯ kubectl describe ingress cm-acme-http-solver-sc8p9
Name:             cm-acme-http-solver-sc8p9
Namespace:        foo
Address:          1.222.333.444
Default backend:  default-http-backend:80
Rules:
  Host              Path  Backends
  ----              ----  --------
  accord.shell.com
                    /.well-known/acme-challenge/3AEp9usn1kG261SOfOkJYHuVzga6VS0aD14PiUjPtK8   cm-acme-http-solver-gvmqg:8089 (1.22.33.44:8089)
Annotations:        nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0,::/0
 

this should serve http://yourdomain.com//.well-known/acme-challenge/3AEp9usn1kG261SOfOkJYHuVzga6VS0aD14PiUjPtK8 ACME server will call this endpoint and check that the response match the token.

Last updated