# how cert manager and letsencrypt challenge works If one creates an ingress will TLS and cert-manager is available on the cluster, it will try to generate an SSL certificate. In order for letsencrypt server (ACME server) verify that we actually control the domain, they will verify using some kind of token challenges There are 2 type of the resolver ### DNS resolver ACME server will check that `_acme_challenge.yourdomain.com` contains TXT record with a token (token is generated by cert-manager by communicating with the ACME server) When cert-manager is setup using DNS-01. It should have ability to create a new DNS record. For example using [Azure DNS](https://cert-manager.io/docs/configuration/acme/dns01/azuredns/). Once a ssl certificate was requested, it will create that TXT record. and once letsencrypt verify it will store the certificate on a secret HTTP resolver This type of resolver checks a token by providing an HTTP endpoint. with HTTP-01 challenge, cert-manager will create an ingress that and a pod that serve the token for example ``` ❯ kubectl describe ingress cm-acme-http-solver-sc8p9 Name: cm-acme-http-solver-sc8p9 Namespace: foo Address: 1.222.333.444 Default backend: default-http-backend:80 Rules: Host Path Backends ---- ---- -------- accord.shell.com /.well-known/acme-challenge/3AEp9usn1kG261SOfOkJYHuVzga6VS0aD14PiUjPtK8 cm-acme-http-solver-gvmqg:8089 (1.22.33.44:8089) Annotations: nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0,::/0 ``` this should serve `http://yourdomain.com//.well-known/acme-challenge/3AEp9usn1kG261SOfOkJYHuVzga6VS0aD14PiUjPtK8` ACME server will call this endpoint and check that the response match the token. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://til.yulrizka.com/k8s/how-cert-manager-and-letsencrypt-challenge-works.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.