I cannot create a wild card certificate for self-hosted bare metal server

I am trying to setup wild card certificate but since https01 is no longer valid to be used for wild card certs, it’s making it more difficult.

Based on this documentation https://cert-manager.io/docs/configuration/acme/dns01/
I have to register or move my dns to one of those cloud providers, hence we are using self-managed private cloud with our own bare-metal servers. Looking at setting up acme-dns, there is no straight forward setup for it and we don’t want to move our dns to it either as we have our own dns server already set.

I tried the following: https://github.com/joohoi/acme-dns but there is nothing explains what txt I need to add into my domain zones

time="2020-05-02T08:48:02Z" level=info msg="2020/05/02 08:48:02 [ERROR][auth.domain.com] failed to obtain certificate: acme: Error -> One or more domains had a problem:"

time="2020-05-02T08:48:02Z" level=info msg="[auth.domain.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: No TXT record found at _acme-challenge.auth.domain.com, url: (attempt 3/3; challenge=dns-01)"

Can someone please advise?

You should check if there is a plugin for some acme client that supports your dns server.

It’s a bare metal maas

What dns server software runs on the thing?

That's because the TXT records are added by the ACME client you have chosen. For example, @joohoi has written its own plugin for the certbot ACME client here: GitHub - joohoi/acme-dns-certbot-joohoi: Certbot client hook for acme-dns

Also, the http-01 challenge was never allowed for wildcard certificates. A DNS challenge was always required.

Also nr 2: why did you choose cert-manager as your ACME client? As far as I know, it's mostly used by large hosting providers and the such which require many certificates for many domains.

@Osiris @9peppe anyway that we can use https01 or any alternative without the need of installing dns servers or adding plugins?

I don’t know. I still have no idea what your setup comprises of.

We have kubernetes setup and the main point of the wild card is for that

There's no such thing as https01, I have no idea what you're refering to.

If you need a wildcard certificate, you'll need to do a DNS challenge. And yes, there are many, MANY alternatives for that besides cert-manager, acme-dns and so forth.

Sorry, I have zero experience with kubernetes (and I would like to keep it that way :stuck_out_tongue:)

Can I use https://auth.acme-dns.io

I am trying this >> https://github.com/joohoi/acme-dns-certbot-joohoi

Thanks a lot Osiris, this link rocks! I wish there is instructions for kubernetes to automate this with ingress

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.