The cert-manager running on diffirent ip, as the site. It is possible?


#1

Hi,
i use the cert-manager in kubernetes cluster, to create certificates for my sites.
The cert-manager traffic going out through the ip x.x.x.212 and the site have the ip x.x.x.219 (dns entry is pointed to this ip). The traffic from ip x.x.x.219 will be redirected through the firewall to the cluster. So I can reach the well-known site from both ips.
But if, if the dns entry have the ip x.x.x.219, then I get the error

Error preparing issuer for certificate dmz/gitlab.external: http-01 self check failed for domain “gitlab-test.external”

If I changed the dns to ip x.x.x.212 it’s working without any error.

my question is, it’s this configuration (with different ips) possible?


#2

Only if/when:

But it would seem that they are not writing to the exact same folder.

Otherwise, you could authenticate via DNS (from any IP).


#3

Hi @de1m

I don’t use this tool.But isn’t there an option to skip this self check?


#4

You do understand that LE must authenticate the exact FQDN (or the domain).
So the name requested must be resolvable via global DNS.
I don’t see how that will be possible for any .external domain name.