0

Trying to understand how cert-manager is different from the ACME protocol since both do the same thing. Does cert-manager use the ACME protocol?

We have our domain DNS in GoDaddy, a Kubernetes cluster in Oracle Cloud OCI and cert-manager and we use a cluster issuer (let's encrypt is the CA).

As far as I know, GoDaddy doesn't support acme protocol then how is HTTP-01 validation happening.

maelvls
  • 78
  • 12
kachwa
  • 41
  • 6
  • cert-manager can use the ACME protocol (it's right there [in the documentation](https://cert-manager.io/docs/configuration/acme/). It all depends on how you have it configured. – larsks Feb 22 '22 at 17:54

1 Answers1

1

I suppose you are referring to cert-manager, the Kubernetes operator for dealing with TLS certificates. cert-manager implements the ACME client protocol defined in the RFC 8555.

As for the support of the ACME protocol by GoDaddy, I suppose you are referring to https://letsencrypt.org/docs/godaddy/:

If you use GoDaddy shared web hosting, it’s currently very difficult to install a Let’s Encrypt certificate. That’s because GoDaddy doesn’t support the ACME protocol for automated certificate issuance and renewal.

As I understand it, you registered your domain on GoDaddy, and your domain zone is hosted in GoDaddy's DNS service. Since you are not using GoDaddy's shared web hosting, you are not affected by the lack of ACME support when using GoDaddy's shared web hosting. You can safely use cert-manager's HTTP-01 or DNS-01 ACME solvers.

maelvls
  • 78
  • 12
  • Can cert-manager automatically update records for ingress resource which gets created at every namespace level in GoDaddy? I mean assume your https is for ingress service and this has got its respective backend and a URL which can redirect the traffic to backend, can Cert-manager update the A record in Godaddy for every new ingress that gets created? – kachwa Feb 23 '22 at 01:36
  • By "namespace levels in GoDaddy", are you referring to subdomains in your DNS zone? AFAIK, when using the DNS-01 solver, cert-manager only ever sets `TXT` records, not `A` records. If you are looking for a way to set `A` records for each of your Ingress objects using the `.status.loadBalancer.ingress[].ip`, you might want to look at external-dns which does exactly that. – maelvls Feb 23 '22 at 15:34