在研究 cert-manager 使用 webhook 方式调用 dnspod 使用 DNS-01 方式签发 SSL 证书遇到问题，一直得到错误：

CodeBlock Loading...

我使用了以下资源：

在相关仓库找到这些 issue

发现，只要申请证书的域名能够匹配到 CNAME 记录，就会默认跟随，找不到正确的 TXT 记录，导致认证失败。虽然 cert-manager 提供了这个参数 cnameStrategy: None ，能够在声明 ISSUE 时使用，但是似乎大部分实现的 webhook 都没有实现这个特性：

CodeBlock Loading...

目前临时的解决办法，只能是 避免 cert-manager 托管域名能够解析到 CNAME 记录，等有空了研究一下 cert-manager 和 webhook 的实现方法，看能否解决这个问题。

References

I0306 03:48:38.870605 1 controller.go:144] "syncing item" logger="cert-manager.controller" I0306 03:48:38.870714 1 dns.go:118] "checking DNS propagation" logger="cert-manager.controller.Check" resource_name="test1-tsh1-frytea-com-1-3300738485-2689263791" resource_namespace="default" resource_kind="Challenge" resource_version=" v1" dnsName="test1.tsh1.frytea.com" type="DNS-01" resource_name="test1-tsh1-frytea-com-1-3300738485-2689263791" resource_namespace="default" resource_kind="Challenge" resource_version="v1" domain="test1.tsh1.frytea.com" nameservers=["223.5.5.5:53","8.8.8.8:53"] I0306 03:48:38.879628 1 wait.go:94] "Updating FQDN" logger="cert-manager.controller" resource_name="test1-tsh1-frytea-com-1-3300738485-2689263791" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dnsName="test 1.tsh1.frytea.com" type="DNS-01" fqdn="_acme-challenge.test1.tsh1.frytea.com." cname="tsh1.frytea.com." I0306 03:48:38.897174 1 wait.go:145] "Looking up TXT records" logger="cert-manager.controller" resource_name="test1-tsh1-frytea-com-1-3300738485-2689263791" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dns Name="test1.tsh1.frytea.com" type="DNS-01" fqdn="tsh1.frytea.com." E0306 03:48:38.897227 1 sync.go:208] "propagation check failed" err="DNS record for \"test1.tsh1.frytea.com\" not yet propagated" logger="cert-manager.controller" resource_name="test1-tsh1-frytea-com-1-3300738485-2689263791" resource_nam espace="default" resource_kind="Challenge" resource_version="v1" dnsName="test1.tsh1.frytea.com" type="DNS-01"I0306 03:48:38.897688 1 controller.go:164] "finished processing work item" logger="cert-manager.controller"

apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: dnspod spec: acme: email: xxxx # 在证书过期的时候，会发邮件通知 preferredChain: "" privateKeySecretRef: name: example-com-letsencrypt-dev-key # 用于存储ACME帐户私钥的密钥名称 server: https://acme-staging-v02.api.letsencrypt.org/directory #server: https://acme-v02.api.letsencrypt.org/directory # 生产 solvers: - dns01: cnameStrategy: None webhook: config: secretId: xxxxxx secretKeyRef: key: secret-key name: dnspod-secret ttl: 600 groupName: acme.imroc.cc solverName: dnspod

cert-manager CNAME 问题记录

关键洞察

References

References