0

I have a certificate managed by cert-manager, on a Kubernetes cluster. It used to be renewed/validated via a HTTP01 ACME challenge but, because of security constraints (a firewall), that's not possible any more. I have to switch to a DNS01 ACME challenge (Cloudflare).

I think I have to change the Issuer from letsencrypt-prod to letsencrypt-prod-cloudflare which I created for this... but I can't. I tried with kubectl patch with and kubectl edit with no success:

Before:

$ kubectl get certificates.cert-manager.io tls-certificate -o=jsonpath='{.spec.issuerRef}' | jq
{
  "group": "cert-manager.io",
  "kind": "ClusterIssuer",
  "name": "letsencrypt-prod"
}

Trying to patch:

$ kubectl patch certificates.cert-manager.io tls-certificate -p '{"spec":{"issuerRef":{"name":"letsencrypt-prod-cloudflare"}}}'
Error from server (UnsupportedMediaType): the body of the request was in an unknown format - accepted media types include: application/json-patch+json, application/merge-patch+json, application/apply-patch+yaml

Editing seems not to fail:

$ kubectl edit certificates.cert-manager.io tls-certificate 
certificate.cert-manager.io/tls-certificate edited

... but the certificate still hasn't changed:

$ kubectl get certificates.cert-manager.io tls-certificate -o=jsonpath='{.spec.issuerRef}' | jq
{
  "group": "cert-manager.io",
  "kind": "ClusterIssuer",
  "name": "letsencrypt-prod"
}

So... any idea on how to switch from HTTP01 to DNS01? Thanks!

Silvian Cretu
  • 13
  • 3
  • To switch a certificate's issuer in cert-manager from HTTP01 to DNS01 ACME verification, you will need to modify the ACME Issuer and specify the DNS01 provider configuration on the Issuer resource. In the Solvers configuration, you can also specify which challenge type HTTP01 or DNS01 should be used for the certificate. Following these modifications, you will be able to submit a Certificate request with the updated issuer, and the DNS01 challenge will be used for verification. Please refer to this [documentation](https://cert-manager.io/docs/configuration/acme/dns01/) for more details. – Manish Bavireddy Jan 18 '23 at 14:49
  • Hmm... interesting... so what you suggest is not editing the certificate, but, instead, editing the ClusterIssuer... I did re-create the certificate with a minimum downtime (a few seconds). I'll post the answer here – Silvian Cretu Jan 19 '23 at 16:37

1 Answers1

0

I ended up re-creating the certificate. In order to minimise the downtime, I did it like this:

export BACKUP_PATH=/some/path/on/your/computer/
# we assume the secret and the certificate have the same resource name, `tls-certificate` in this case
export CERT=tls-certificate

kubectl get certificates.cert-manager.io $CERT -o yaml > $BACKUP_PATH/$CERT-certificate.yaml
kubectl get secrets $CERT -o yaml > $BACKUP_PATH/$CERT-secret.yaml

cp $BACKUP_PATH/$CERT-certificate.yaml $BACKUP_PATH/$CERT-certificate.bak
vim $BACKUP_PATH/$CERT-certificate.yaml

(change the ClusterIssuer to the DNS01 one; clean up...)

kubectl delete certificates.cert-manager.io $CERT
kubectl delete secret $CERT

kubectl apply -f $BACKUP_PATH/$CERT-certificate.yaml

and it worked!

Silvian Cretu
  • 13
  • 3