-1

Like the gitbook provide a custom domain I've to design a service and user can register their custom domain. For example, I've a service hosting.example.com and user can register any domain based on this service. In the case I wish user JUST edit the CNAME, for example sub1.example.net CNAME TO hosting.example.com.

My service already process the virtual host and can provide service normally on HTTP. Now I have to provide HTTPS with lets encrypt. I've survey the acem.sh but HAVE TO extra CNAME _acme-challenge.sub1.example.net. I want to reduct this step and keep user just edit DNS one and only one CNAME record.

Since my service is based on the K8S environment and HTTP-01 challenge is not suitable on this case.

[UPDATE] Since I've using the wildcard CA, the DNS 01 seems the only possible method.

cmj
  • 29
  • 2
  • Why don't you use an HTTP challenge? You can certainly do this on k8s. It would be rather useless if k8s couldn't handle HTTP... – Michael Hampton Sep 24 '20 at 06:07
  • @MichaelHampton I've a two environment production and staging which staging only access with whitelist IP address. I'm not sure HTTP 01 / cert-manager is workable or not. I'll check it right now – cmj Sep 24 '20 at 06:22

1 Answers1

0

Ok finally I solve my question.

First, the DNS-01 will force verify the _acme-challenge DNS prefix so my original question is not possible. In my scenario I've provide two issuer: DNS-01 and HTTP-01, and one for my wildcard CA purpose and one for the dynamic CNAME purpose.

Based on the same namespace there are two issuer: letsencrypt-dns01 and letsencrypt-http01. When I need the wildcard CA I create a certificate and issuerRef point to the letsencrypt-dns01.

And more, when create the certificate based on the python, the service (deployment) need to add extra service account with related permission.

cmj
  • 29
  • 2