Internal Network and DNS challenge with Cert Manager

I have a Kubernetes cluster with an nginx-ingress running in front of a set of containerized applications running on the cluster.

The cluster has Cert Manager running using http challenge for the exposed application(s).

Now, for security reasons, one of the exposed applications has been locked down to a set of specific white-listed IP addresses.

My understanding is that the renewal of the certificate will now be broken as the http challenge mechanism is broken.

I thought that maybe I could use DNS challenge for cert renewal. But am unsure if that is even possible since the FQDN is not even reachable except by specific IP’s.

I don’t really understand the full communication flow between cert-manager, DNS provider and LetsEncrypt in the DNS challenge scenario.

Would it even help to change from http challenge to DNS challenge in this scenario?

Simple way to answer this is, does this successfully show the IP address of your domain?

dig @

If it does, then yes, you can use the DNS challenge.

Let's Encrypt doesn't need to talk to your web servers, just to your nameservers.

Thanks for the reply :smiley:

Yes this works.

The DNS provider is I do not think they support the ACME protocol. Just some text entry stuff. So I am guessing I need another DNS provider and then it should work.

DNS providers do not need to support ACME explicitly. They just need to support programmatic addition and deletion of TXT records.

In fact, you are rather lucky with your DNS hosting choice. There is a turnkey solution available for you: dnsapi · acmesh-official/ Wiki · GitHub

But in case you don't want to expose your Gratis credentials, there are also delegation solutions like acme-dns available.

Hmm, I guess that means I need remove from my cluster. I don’t think it supports Then implement a container around that exports the certs to the cluster.

But then I lose all the nice functionality of cert-manager :frowning:

Anyways thanks for the helpful answers…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.