webhook-example icon indicating copy to clipboard operation
webhook-example copied to clipboard
verified publisher icon cert-manager

Why cert-manager looks for a CNAME record instead of a TXT record?

Open cybercoder opened this issue 1 year ago • 0 comments

I have developed my webhook using this example:

func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
	cfg, err := loadConfig(ch.Config)
	if err != nil {
		return err
	}

	pattern := `(?:\*\.)?(.*)`
	re := regexp.MustCompile(pattern)
	matchDomain := re.FindStringSubmatch(ch.DNSName)
	if len(matchDomain) <= 1 {
		return errors.New("Invalid DNS name.")
	}
	domain := matchDomain[1]

	domainRecord, err := dnsDomainRepository.FindByName(domain)
	if err != nil {
		return err
	}
	if domainRecord == nil {
		return errors.New("The domain not found.")
	}
	if domainRecord.Status != "ACTIVE" {
		return errors.New("The domain is not active")
	}

	dnsRecordRepository.Create(&repositories.Record{
		DomainId: domainRecord.ID,
		Name:     util.UnFqdn(ch.ResolvedFQDN),
		Content:  ch.Key,
		Type:     "TXT",
		TTL:      60,
	})
	return nil
}

It correctly inserts a TXT record into my records table, And I can see it has been set correctly:

dig TXT _acme-challenge.gomak.ir

; <<>> DiG 9.10.6 <<>> TXT _acme-challenge.gomak.ir
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61751
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.gomak.ir.	IN	TXT

;; ANSWER SECTION:
_acme-challenge.gomak.ir. 60	IN	TXT	"LqpAjEOukul0H9GWGe5jqzeo0BsgwnqGBxb1iWzgN4Y"

;; Query time: 283 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Aug 08 16:12:35 +0330 2024
;; MSG SIZE  rcvd: 109

But my DNS server log shows that the cert-manager is querying for a CNAME record instead of a TXT record!

[INFO] 10.42.0.1:22649 - 62747 "CNAME IN _acme-challenge.gomak.ir. udp 53 true 1400" NOERROR qr,aa,cd 128 0.000333351s

The challenge is looks like this:

apiVersion: acme.cert-manager.io/v1
kind: Challenge
metadata:
  creationTimestamp: "2024-08-08T12:35:15Z"
  finalizers:
  - finalizer.acme.cert-manager.io
  generation: 1
  name: gomak-ir-tls-1-284811402-4243862973
  namespace: "1707237939748"
  ownerReferences:
  - apiVersion: acme.cert-manager.io/v1
    blockOwnerDeletion: true
    controller: true
    kind: Order
    name: gomak-ir-tls-1-284811402
    uid: 33e5c54c-45d2-451b-a766-6e06e630db17
  resourceVersion: "19793552"
  uid: 440ee536-40c4-494b-9d09-a98f86354357
spec:
  authorizationURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/385640034797
  dnsName: gomak.ir
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: ik8s-letsencrypt-webhook
  key: LqpAjEOukul0H9GWGe5jqzeo0BsgwnqGBxb1iWzgN4Y
  solver:
    dns01:
      cnameStrategy: None
      webhook:
        groupName: acme.dns.ik8s.ir
        solverName: idns-acme
  token: JZ8dowQpahHFT0h7qiZc9TVwou3gYZ_4sY2ZNAN1ikE
  type: DNS-01
  url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/385640034797/KD8vjQ
  wildcard: false
status:
  presented: true
  processing: true
  reason: 'Waiting for DNS-01 challenge propagation: DNS record for "gomak.ir" not
    yet propagated'
  state: pending

And I have been set the cnameStrategy to None. Why?

cybercoder avatar Aug 08 '24 12:08 cybercoder