Open cybercoder opened 1 month ago
I have developed my webhook using this example:
func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error { cfg, err := loadConfig(ch.Config) if err != nil { return err } pattern := `(?:\*\.)?(.*)` re := regexp.MustCompile(pattern) matchDomain := re.FindStringSubmatch(ch.DNSName) if len(matchDomain) <= 1 { return errors.New("Invalid DNS name.") } domain := matchDomain[1] domainRecord, err := dnsDomainRepository.FindByName(domain) if err != nil { return err } if domainRecord == nil { return errors.New("The domain not found.") } if domainRecord.Status != "ACTIVE" { return errors.New("The domain is not active") } dnsRecordRepository.Create(&repositories.Record{ DomainId: domainRecord.ID, Name: util.UnFqdn(ch.ResolvedFQDN), Content: ch.Key, Type: "TXT", TTL: 60, }) return nil }
It correctly inserts a TXT record into my records table, And I can see it has been set correctly:
dig TXT _acme-challenge.gomak.ir ; <<>> DiG 9.10.6 <<>> TXT _acme-challenge.gomak.ir ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61751 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;_acme-challenge.gomak.ir. IN TXT ;; ANSWER SECTION: _acme-challenge.gomak.ir. 60 IN TXT "LqpAjEOukul0H9GWGe5jqzeo0BsgwnqGBxb1iWzgN4Y" ;; Query time: 283 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Aug 08 16:12:35 +0330 2024 ;; MSG SIZE rcvd: 109
But my DNS server log shows that the cert-manager is querying for a CNAME record instead of a TXT record!
[INFO] 10.42.0.1:22649 - 62747 "CNAME IN _acme-challenge.gomak.ir. udp 53 true 1400" NOERROR qr,aa,cd 128 0.000333351s
The challenge is looks like this:
apiVersion: acme.cert-manager.io/v1 kind: Challenge metadata: creationTimestamp: "2024-08-08T12:35:15Z" finalizers: - finalizer.acme.cert-manager.io generation: 1 name: gomak-ir-tls-1-284811402-4243862973 namespace: "1707237939748" ownerReferences: - apiVersion: acme.cert-manager.io/v1 blockOwnerDeletion: true controller: true kind: Order name: gomak-ir-tls-1-284811402 uid: 33e5c54c-45d2-451b-a766-6e06e630db17 resourceVersion: "19793552" uid: 440ee536-40c4-494b-9d09-a98f86354357 spec: authorizationURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/385640034797 dnsName: gomak.ir issuerRef: group: cert-manager.io kind: ClusterIssuer name: ik8s-letsencrypt-webhook key: LqpAjEOukul0H9GWGe5jqzeo0BsgwnqGBxb1iWzgN4Y solver: dns01: cnameStrategy: None webhook: groupName: acme.dns.ik8s.ir solverName: idns-acme token: JZ8dowQpahHFT0h7qiZc9TVwou3gYZ_4sY2ZNAN1ikE type: DNS-01 url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/385640034797/KD8vjQ wildcard: false status: presented: true processing: true reason: 'Waiting for DNS-01 challenge propagation: DNS record for "gomak.ir" not yet propagated' state: pending
And I have been set the cnameStrategy to None. Why?
cnameStrategy
I have developed my webhook using this example:
It correctly inserts a TXT record into my records table, And I can see it has been set correctly:
But my DNS server log shows that the cert-manager is querying for a CNAME record instead of a TXT record!
The challenge is looks like this:
And I have been set the
cnameStrategyto None. Why?