I successfully created dns01 cluster issuer and certificate for wildcard domain.
But when I create Ingress Route for application , the URL showing not secure.(Generated Fake certificate).
P.S. if I create certificate with http01, it is working. But for long domains it is failing. it has 64 character limit. Because of that I want to use dns01 wildcard certificate .
message: The ACME account was registered with the ACME server
message: Certificate is up to date and has not expired
Hello @jet, welcome to the Let's Encrypt community.
From here Domain Name System - Wikipedia
" A label may contain zero to 63 characters. The null label, of length zero, is reserved for the root zone. The full domain name may not exceed the length of 253 characters in its textual representation. In the internal binary representation of the DNS the maximum length requires 255 octets of storage, as it also stores the length of the name."
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Thanks for clarification. As I mentioned ,due to that limit, I want to use dns01. The wildcard certificate is issued for *.mainapp.rick.ext-env.xyz.org. But app endpoint is still not secure: wildcerttest.mainapp.rick.ext-env.xyz.org
There have been no (production) certificates issued for that domain. So either you aren't giving us your real domain name (and as Bruce says above, that is required in order for us to help you), or you've issued certs through the staging server rather than production.
DNS records: 100%
Our scans detected the following publicly available DNS records.
Record TTL Value
A xyz.org 600s 22.214.171.124
NS xyz.org 1h ns15.domaincontrol.com.
SOA xyz.org 1h ns15.domaincontrol.com. dns.jomax.net. 2021110500 28800 7200 604800 600
CNAME www.xyz.org 1h xyz.org.
Correctly functioning name servers are necessary to hold and distribute information that's necessary for your domain name to operate correctly. Examples include converting names to IP addresses, determining where email should go, and so on. More recently, the DNS is being used to communicate email and other security policies.
Everything seems to be well configured. Well done.
These are the results of individual DNS queries against your nameserver for common resource record types.
Name TTL Type Data
xyz.org. 600 A 126.96.36.199
www.xyz.org. 3600 CNAME xyz.org.
xyz.org. 3600 NS ns15.domaincontrol.com.
xyz.org. 3600 NS ns16.domaincontrol.com.
xyz.org. 3600 SOA ns15.domaincontrol.com. dns.jomax.net. 2021110500 28800 7200 604800 600
You warrant to ISRG and the public-at-large that You are the legitimate registrant of the
Internet domain name that is, or is going to be, the subject of Your Certificate, or that You are
the duly authorized agent of such registrant
The primary path is to deploy cert-manager (I use a ClusterIssuer to save myself some headache with namespace issues), deploy your ingress controller, then deploy your ingress manifest (endpoints). You do NOT need to create a certificate resource yourself.