Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I am trying to use cert-manager under kubernetes to get certificates. I can get individual names through DNS-01 challenge just fine, no problems at all. Now I am attempting to retrieve a wildcard certificate and it keeps coming back with the message "there is already a challenge processing with this domain". So I went to our DNS records and found someone had already CNAME'd _acme-challenge at the root of the domain to be able to use it with a Lets Encrypt instance of their own, which is valid and in use. Looks like they followed these instructions: Onboarding Your Customers with Let's Encrypt and ACME - Let's Encrypt
The problem is that since that is CNAME'd already, I am unable to use Lets Encrypt to get a wildcard of my own. I can't give them access to our DNS nor are they willing to give me access to theirs, nor can I change or remove the CNAME. This is a wildcard so HTTP01 challenge won't work. Is there any workaround for this type of situation? Or am I just out of luck?
I have full control of the DNS zone. The problem is that I can't give them access to update our DNS zone, nor do they want to give me access to update the DNS zone that ours is CNAMEd to.
It appears your domain uses Cloudflare for its primary DNS, but the CNAME is pointing to the Fastly CDN which would make sense if they're terminating TLS for your existing website.
Technically, that CNAME only has to exist while Fastly is doing a renewal. So if you have control over the DNS zone at Cloudflare, you could potentially delete the CNAME, create the TXT records necessary for your own cert, complete the authorization, remove the TXT records, and restore the CNAME.
But realistically, that's pretty hacky, and might be hard to coordinate the steps with cert-manager. Does Fastly have an HTTP based validation option instead? Then, they wouldn't need the CNAME.
Unfortunately I already know without asking what the answers to those questions will be... it needs to stay how it is. Andi, it seems to me that if the acme challenge is hardcoded then it's going to run into a collision at some point. That's why I was asking if there's other options.
Yeah, the _acme-challenge label is part of the RFC8555 ACME spec. And for getting a wildcard cert, DNS validation is your only option. Technically, other CA's exist that use different DNS validation labels though. But they also don't use ACME and I'm guessing wouldn't work with cert-manager.
Living without the wildcard cert is plan C. I was hoping there was a way to get around the collision. As with anything hard-coded, a collision is inevitable at some point.
I had considered a different CA. That would require a corporate paid account for some of them, etc. The quickest option for me was to see if there's a way around it. Sounds like it's time to work on plan B/C then. Thanks for the quick answers, I much appreciate it.
Somehow I thought that DNS Lookup - Check DNS Records did a full DNS Records lookup for the domain, not just the hostname.domain.tld. I learned something new.
I thought it was more like this:
