Skip to content

Why cert-manager looks for a CNAME record instead of a TXT record? #74

New issue
New issue
Open
Open
Why cert-manager looks for a CNAME record instead of a TXT record?#74
@cybercoder

Description

@cybercoder
cybercoder
opened on Aug 8, 2024

I have developed my webhook using this example:

func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
	cfg, err := loadConfig(ch.Config)
	if err != nil {
		return err
	}

	pattern := `(?:\*\.)?(.*)`
	re := regexp.MustCompile(pattern)
	matchDomain := re.FindStringSubmatch(ch.DNSName)
	if len(matchDomain) <= 1 {
		return errors.New("Invalid DNS name.")
	}
	domain := matchDomain[1]

	domainRecord, err := dnsDomainRepository.FindByName(domain)
	if err != nil {
		return err
	}
	if domainRecord == nil {
		return errors.New("The domain not found.")
	}
	if domainRecord.Status != "ACTIVE" {
		return errors.New("The domain is not active")
	}

	dnsRecordRepository.Create(&repositories.Record{
		DomainId: domainRecord.ID,
		Name:     util.UnFqdn(ch.ResolvedFQDN),
		Content:  ch.Key,
		Type:     "TXT",
		TTL:      60,
	})
	return nil
}

It correctly inserts a TXT record into my records table, And I can see it has been set correctly:

dig TXT _acme-challenge.gomak.ir

; <<>> DiG 9.10.6 <<>> TXT _acme-challenge.gomak.ir
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61751
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.gomak.ir.	IN	TXT

;; ANSWER SECTION:
_acme-challenge.gomak.ir. 60	IN	TXT	"LqpAjEOukul0H9GWGe5jqzeo0BsgwnqGBxb1iWzgN4Y"

;; Query time: 283 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Aug 08 16:12:35 +0330 2024
;; MSG SIZE  rcvd: 109

But my DNS server log shows that the cert-manager is querying for a CNAME record instead of a TXT record!

[INFO] 10.42.0.1:22649 - 62747 "CNAME IN _acme-challenge.gomak.ir. udp 53 true 1400" NOERROR qr,aa,cd 128 0.000333351s

The challenge is looks like this:

apiVersion: acme.cert-manager.io/v1
kind: Challenge
metadata:
  creationTimestamp: "2024-08-08T12:35:15Z"
  finalizers:
  - finalizer.acme.cert-manager.io
  generation: 1
  name: gomak-ir-tls-1-284811402-4243862973
  namespace: "1707237939748"
  ownerReferences:
  - apiVersion: acme.cert-manager.io/v1
    blockOwnerDeletion: true
    controller: true
    kind: Order
    name: gomak-ir-tls-1-284811402
    uid: 33e5c54c-45d2-451b-a766-6e06e630db17
  resourceVersion: "19793552"
  uid: 440ee536-40c4-494b-9d09-a98f86354357
spec:
  authorizationURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/385640034797
  dnsName: gomak.ir
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: ik8s-letsencrypt-webhook
  key: LqpAjEOukul0H9GWGe5jqzeo0BsgwnqGBxb1iWzgN4Y
  solver:
    dns01:
      cnameStrategy: None
      webhook:
        groupName: acme.dns.ik8s.ir
        solverName: idns-acme
  token: JZ8dowQpahHFT0h7qiZc9TVwou3gYZ_4sY2ZNAN1ikE
  type: DNS-01
  url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/385640034797/KD8vjQ
  wildcard: false
status:
  presented: true
  processing: true
  reason: 'Waiting for DNS-01 challenge propagation: DNS record for "gomak.ir" not
    yet propagated'
  state: pending

And I have been set the cnameStrategy to None.
Why?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions