How to use Wildcard certificates from Let’s Encrypt with cert-manager

Question

I Created two files, one is for ClusterIssuer and the Second is for Certificate. My Domain is an example.com and I need to create a new subdomain with wildcard *.testing.example.com and I already created an entry in Route53 called *.testing.example.com with A record and mapped with nlb.

Below are my profile and which good to me, but I am getting error " msg"="propagation check failed" "error"="DNS record for \"testing.example.com\" not yet propagated"

ClusterIssuer.yaml

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: devops@example.com
    privateKeySecretRef:
            name: letsencrypt-prod
    solvers:
    # example: cross-account zone management for example.com
    # this solver uses ambient credentials (i.e. inferred from the environment or EC2 Metadata Service)
    # to assume a role in a different account
    - selector:
        dnsZones:
          - "example.com"
      dns01:
        route53:
          region: ap-south-1
          hostedZoneID: 71MYVttggee
          role: arn:aws:iam::123456:role/dns-manager

Certificate.yaml

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: example-cert
spec:
  secretName: acme-crt
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-prod
  commonName: testing.example.com
  dnsNames:
    - '*.testing.example.com'
  acme:
    config:
    - dns01:
        provider: route53
      domains:
        - '*.testing.example.com'

Do you see the verification records created in your Zone? Check in the R53 console. — coderanger, Mar 13 '20 at 18:13
Then you just have to wait a while for them to propagate, as the log says. — coderanger, Mar 13 '20 at 18:37
It depends on your zone TTLs, but usually in the 30-60 minute range. — coderanger, Mar 13 '20 at 18:43
yes, the problem is solved , these files are 100 correct . Problem with my DNS ZONE — me25, Mar 27 '20 at 07:14

score 0 · Answer 1 · answered Mar 13 '20 at 18:37

0

What you have is correct, you just need to wait for DNS propagation so that the verification records can be checked by LetsEncrypt.

answered Mar 13 '20 at 18:37

coderanger

52,400
4
52
75

but log is saying ""msg"="propagation check failed"" ? then still I need to wait? – me25 Mar 13 '20 at 18:43

score 0 · Answer 2 · answered Jul 21 '21 at 20:38

You have to use the method of DNS-01 for verification auth.

You can use the issuer

https://cert-manager.io/docs/configuration/acme/dns01/

however, you also have to create one another YAML for certificate

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: le-crt
spec:
  secretName: tls-secret
  issuerRef: 
    kind: Issuer
    name: letsencrypt-prod
  commonName: "*.example.in"
  dnsNames:
    - "*.example.in"

above yaml certificate will point to issuer that you created and as you get the certificate it will be get stored into the kubernetes secret name as : tls-secret

You can inject or use this secret on the ingress.

Also if you are facing the 403 error of CAA record please add the CAA record in the DNS zone first same we add the A or CNAME record.

For more ref : https://stackoverflow.com/a/68476135/5525824

How to use Wildcard certificates from Let’s Encrypt with cert-manager

2 Answers2