Hi Team,
I successfully created dns01 cluster issuer and certificate for wildcard domain.
But when I create Ingress Route for application , the URL showing not secure.(Generated Fake certificate).
P.S. if I create certificate with http01, it is working. But for long domains it is failing. it has 64 character limit. Because of that I want to use dns01 wildcard certificate .
lastTransitionTime: "2022-11-04T11:38:12Z"
message: The ACME account was registered with the ACME server
observedGeneration: 8
reason: ACMEAccountRegistered
status: "True"
type: Ready
kind: List
metadata:
resourceVersion: ""
============================================
lastTransitionTime: "2023-01-15T18:26:22Z"
message: Certificate is up to date and has not expired
observedGeneration: 1
reason: Ready
status: "True"
type: Ready
notAfter: "2023-04-15T17:26:20Z"
notBefore: "2023-01-15T17:26:21Z"
renewalTime: "2023-03-16T17:26:20Z"
revision: 1
=======================================
Hello @jet, welcome to the Let's Encrypt community.
From here Domain Name System - Wikipedia
" A label may contain zero to 63 characters. The null label, of length zero, is reserved for the root zone. The full domain name may not exceed the length of 253 characters in its textual representation.[22] In the internal binary representation of the DNS the maximum length requires 255 octets of storage, as it also stores the length of the name."
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Hi Bruce,
Thanks for clarification. As I mentioned ,due to that limit, I want to use dns01. The wildcard certificate is issued for *.mainapp.rick.ext-env.xyz.org. But app endpoint is still not secure: wildcerttest.mainapp.rick.ext-env.xyz.org
There have been no (production) certificates issued for that domain. So either you aren't giving us your real domain name (and as Bruce says above, that is required in order for us to help you), or you've issued certs through the staging server rather than production.
You might have more luck asking about this on the cert-manager Slack Channel. We haven't had many (or any) users able to answer this type of question in the past.
DNS records: 100%
Our scans detected the following publicly available DNS records.
Record TTL Value
A xyz.org 600s 34.102.136.180
NS xyz.org 1h ns15.domaincontrol.com.
ns16.domaincontrol.com.
SOA xyz.org 1h ns15.domaincontrol.com. dns.jomax.net. 2021110500 28800 7200 604800 600
CNAME www.xyz.org 1h xyz.org.
DNS Records
Correctly functioning name servers are necessary to hold and distribute information that's necessary for your domain name to operate correctly. Examples include converting names to IP addresses, determining where email should go, and so on. More recently, the DNS is being used to communicate email and other security policies.
Test passed
Everything seems to be well configured. Well done.
DNS Records
These are the results of individual DNS queries against your nameserver for common resource record types.
Name TTL Type Data
xyz.org. 600 A 34.102.136.180
www.xyz.org. 3600 CNAME xyz.org.
xyz.org. 3600 NS ns15.domaincontrol.com.
xyz.org. 3600 NS ns16.domaincontrol.com.
xyz.org. 3600 SOA ns15.domaincontrol.com. dns.jomax.net. 2021110500 28800 7200 604800 600
You warrant to ISRG and the public-at-large that You are the legitimate registrant of the
Internet domain name that is, or is going to be, the subject of Your Certificate, or that You are
the duly authorized agent of such registrant
For future reference, I can answer this type of topic now as I have been using cert-manager with k8s and ingress-nginx in Azure in my position at work for a while now.
The primary path is to deploy cert-manager (I use a ClusterIssuer to save myself some headache with namespace issues), deploy your ingress controller, then deploy your ingress manifest (endpoints). You do NOT need to create a certificate resource yourself.
