May be this is mostly a networking question rather than certificate related query.
Th documentation for http validation says that:
"Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. C. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way)."
I have 2 questions based on above sentences:
I have a Azure firewall setup before k8s cluster. I requested for certificate using certmanager by opening only one port i.e. 443.
- Now if I open port 80 for my cluster and if I write a dnat rule on firewall that all traffic coming on firewall port 80 should be directed to cluster on post 80, I can see successful http validation and certificate gets generated.
But how the above case worked, if "It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses".
I think dnat is not equivalent to IP redirection. Am I right? If so what is the difference.
-
If I write dnat rule that all traffic of port 80 on firewall to should be routed to port 443 of cluster, I see this is unsuccessful. Why is that?
I have not installed any webserver on the cluster rather we are using k8s gateway to create service of type loadbalancer. -
"Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep".
During the validation, let's encrypt becomes a client while my instance/pod becomes a server. If so, does client have a capability to restrict the number of redirects it is allowed?