Comments (8)
itomaldonado
commented on July 22, 2024
I am taking a stab at it if you want to....
from kubernetes-letsencrypt.
tazjin
commented on July 22, 2024
Thanks for pointing this out, I'll take a look soon!
from kubernetes-letsencrypt.
tazjin
commented on July 22, 2024
Fixed in #64
from kubernetes-letsencrypt.
itomaldonado
commented on July 22, 2024
@tazjin Just wanted to put this here for future reference. If you are using split-brain DNS it is possible for the application to resolve the DNS entry with the built-in name servers which will return the "private hosted zone" NS entries. To force the application to use an external DNS for resolving the name spaces make sure you do add the environment variable "LETSENCRYPT_CONTROLLER_OPTS" as seen below (the example uses google's DNS server).
...
spec:
serviceAccountName: letsencrypt
containers:
- image: tazjin/letsencrypt-controller:1.7
imagePullPolicy: Always
name: letsencrypt-controller
env:
- name: LETSENCRYPT_CONTROLLER_OPTS
value: "-Ddns.server=8.8.8.8"
...
from kubernetes-letsencrypt.
tazjin
commented on July 22, 2024
Ah, so this can cause local validation to fail before the controller asks Let's Encrypt to verify the challenge?
The way it currently works is that the controller uses the OS DNS to ask for the authoritative nameservers after performing the change and polls them until the change has propagated. It should probably be changed to resolve from the root nameservers, too. 🤔
from kubernetes-letsencrypt.
itomaldonado
commented on July 22, 2024
Yeah so when the controller should not try to use the OS DNS to ask for the authoritative nameservers but doing so is a good default behavior.
I have run into this issue several times before and there is no easy way to fix this. When using split-brain local DNS (i.e. the OS's default DNS) will resolve to the private side (it should since it is intended behavior) and thus it'll mess with the DNS validation.
So as long as there is a way to tell the controller what DNS server to use during validation, then this problem is solved.
from kubernetes-letsencrypt.
tazjin
commented on July 22, 2024
but doing so is a good default behavior
I'm thinking doing a full resolve from the DNS root may actually be better, because that is what Let's Encrypt does.
Thanks for pointing this out, I'll make a separate issue and see if there's anything that can be done to improve it.
As you mentioned overriding the dns.server property will let people apply a fix currently, I'll probably pull that into the README.
from kubernetes-letsencrypt.
itomaldonado
commented on July 22, 2024
Perfect, thanks~ Awesome work by the way.
from kubernetes-letsencrypt.
Related Issues (20)
- Allow single certificate for multiple services HOT 1
- prepareDnsChallenge cleanup exception HOT 2
- Always determine authoritative NS from root
- Support ACME V2 API and wildcard certificates HOT 5
- Influence the cert filenames HOT 3
- Add support for ingress controller secret format HOT 2
- Error creating new authz :: too many currently pending authorizations HOT 5
- NullPointerException in DnsRecordObserver.findAuthoritativeNameservers HOT 4
- Transient error: "Must agree to subscriber agreement" HOT 1
- DnsException: Login Required HOT 6
- Exception in thread "Thread-23" HOT 2
- 403 Forbidden HOT 1
- create a chained cert for nginx as well HOT 7
- Exception: empty collection can't be reduced HOT 8
- Is this project still active? HOT 22
- No pom.xml? HOT 1
- hanging in fail-loop HOT 2
- Failed due to invalid challenge HOT 5
- LetsencryptException: No matching zone found. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes-letsencrypt.