search

zachomedia / cert-manager-webhook-pdns

A PowerDNS webhook for cert-manager
MIT License
59 stars 35 forks source link

Proxy from environment is ignored when using Custom CA bundles #17

Closed Meallia closed 2 years ago

Meallia commented 2 years ago

When trying to use a custom CA bundle and a proxy provided through environment variables, the ACME challenge fails with the following error:

failed loading existing records for _acme-challenge.example.com.
in domain example.com.: failed loading zone example.com.:
Get "https://pdns-api:443/api/v1/servers/localhost/zones/example.com":
dial tcp: lookup pdns-api on 10.247.3.10:53: no such host

If no CA bundle is provided, the powerdns clients reaches the API through the proxy but fails with an SSL error:

failed loading existing records for _acme-challenge.example.com.
in domain example.com.: failed loading zone example.com.:
Get "https://pdns-api:443/api/v1/servers/localhost/zones/example.com":
x509: certificate signed by unknown authority

The customized transport with the CA bundle disregards proxy passed by env.

zachomedia commented 2 years ago

Thanks for the report!

I did find that a Clone method was added to the Transport struct (https://github.com/golang/go/issues/26013), so I'll try quickly to see if I can get that to work; otherwise I'll go with the simple fix you provided!

zachomedia commented 2 years ago

Release v2.1.1 (Helm chart v2.1.2) should have the fix for this now!

Thanks again for the report :)

zachomedia commented 2 years ago

I've also added a test case for this, so it will be tested with future updates.