DNS01 Challenge Provider¶
The ACME issuer can also contain DNS provider configuration, which can be used by Certificates using this Issuer in order to validate DNS01 challenge requests:
You can read about how the DNS01 challenge type works on the Let’s Encrypt challenge types page.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
apiVersion: certmanager.k8s.io/v1alpha1 kind: Issuer metadata: name: example-issuer spec: acme: email: [email protected] server: https://acme-staging-v02.api.letsencrypt.org/directory privateKeySecretRef: name: example-issuer-account-key dns01: providers: - name: prod-clouddns clouddns: project: my-project serviceAccountSecretRef: name: prod-clouddns-svc-acct-secret key: service-account.json
Each issuer can specify multiple different DNS01 challenge providers, and it is also possible to have multiple instances of the same DNS provider on a single Issuer (e.g. two clouddns accounts could be set, each with their own name).
Setting nameservers for DNS01 self check¶
Cert-manager will check the correct DNS records exist before attempting a DNS01
challenge. By default, the DNS servers for this check will be taken from
/etc/resolv.conf. If this is not desired (for example with multiple
authoritative nameservers or split-horizon DNS), the cert-manager controller
--dns01-self-check-nameservers flag, which allows overriding the default
nameservers with a comma seperated list of custom nameservers.
Supported DNS01 providers¶
A number of different DNS providers are supported for the ACME issuer. Below is a listing of available providers, their .yaml configurations, along with additional Kubernetes and provider specific notes regarding their usage.