So, we have a domain which is pointing to IP and serving traffic. I am creating new cluster with ingress-nginx with new IP and trying to add cert to it using cert-manager.
Issue is I can't point the domain to this new IP unless ssl is enabled and without pointing domain to this new IP I am having trouble with acme challenges.
For now I have created an additional sub-domain and added redirects on the original service to these new ones for path /.well-known/acme-challenge/*. According to Let's Encrypt docs, they allow up to 10 redirects - here.
Redirect is working fine, it's just that the ingress rules which cert-manager created for the solvers are for original domains and I can't seem to find any config which lets me configure additional rules.
Is there any way solve this?
I am thinking of editing the ingress which cert-manager created but worried it would cause some issue when I switch to production issuer. Or that there might be better way to do this.
Edit: I tried updating the ingress manually, but the server which was created by cert manager to handle the request is checking for the hostname and throwing error since they don't match.
So, we have a domain which is pointing to IP and serving traffic. I am creating new cluster with ingress-nginx with new IP and trying to add cert to it using cert-manager.
Issue is I can't point the domain to this new IP unless ssl is enabled and without pointing domain to this new IP I am having trouble with acme challenges.
For now I have created an additional sub-domain and added redirects on the original service to these new ones for path /.well-known/acme-challenge/*. According to Let's Encrypt docs, they allow up to 10 redirects - here.
Redirect is working fine, it's just that the ingress rules which cert-manager created for the solvers are for original domains and I can't seem to find any config which lets me configure additional rules.
Is there any way solve this?
I am thinking of editing the ingress which cert-manager created but worried it would cause some issue when I switch to production issuer. Or that there might be better way to do this.
Edit: I tried updating the ingress manually, but the server which was created by cert manager to handle the request is checking for the hostname and throwing error since they don't match.
Share Improve this question edited Feb 2 at 12:39 TubbyStubby asked Feb 1 at 17:40 TubbyStubbyTubbyStubby 1663 silver badges13 bronze badges1 Answer
Reset to default 0So, cert manager solver checks for the HOST header before serving the key. In order for this to work, I ended up creating another service with another sub-domain (redirect.original) which had nginx running and updated the host using proxy_set_header HOST original; and used proxy pass to send the request to new domain pointing to where the solver is running proxy_pass http://new.original;.
And this how the whole flow looked like -
GET original/.well-known/acme-challenge/...
-> original
- redirect -> redirect.original
- update HOST and proxy pass -> new.original
Since I had couple of sub-domains which I wanted to do this for, I added a unique prefix path which were handled by matching location blocks and used a rewrite.