DNS Challenge for Let's Encrypt® certificates

To add an option to run DNS Challenge when issuing Let's Encrypt® certificates:

1. Create a certificate.
2. Check the result.

If you no longer need the resources you created, delete them.

Getting startedGetting started

1. Create a service account with the dns.editor role for the folder the domain zone will be in.

2. Create an authorized key for the service account and save it to JSON file:

   yc iam key create \
     --service-account-name <service_account_name> \
     --format json \
     --output key.json
   

3. Register a public domain zone and delegate your domain. A Let's Encrypt® certificate will be issued for the domain in this zone after you pass the DNS-01 challenge.

4. Create security groups for the Managed Service for Kubernetes cluster and its node groups.

   Warning

   The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

5. Create a Managed Service for Kubernetes cluster and a node group in any suitable configuration. When creating them, specify the security groups prepared earlier.

6. Install kubectl and configure it to work with the created cluster.

Create a certificateCreate a certificate

1. Install the cert-manager app with the Yandex Cloud DNS ACME webhook plugin by following this guide.

   During the installation, specify the service account and the authorized key created at the Getting started step.

2. Create a file named certificate.yaml:

   apiVersion: cert-manager.io/v1
   kind: Certificate
   metadata:
     name: example-com
     namespace: default
   spec:
     secretName: example-com-secret
     issuerRef:
       # The issuer created previously
       name: yc-clusterissuer
       kind: ClusterIssuer
     dnsNames:
       - <domain_name>
   

3. Provide the certificate to the Managed Service for Kubernetes cluster:

   kubectl apply -f certificate.yaml
   

Check the resultCheck the result

1. Check if the certificate is available:

   kubectl get certificate example-com
   

   Result:

   NAME         READY  SECRET              AGE
   example-com  True   example-com-secret  24h
   

   The True status in the READY column means that the certificate was issued successfully.

2. (Optional) Get detailed information about the certificate:

   kubectl -n default describe certificate example-com
   

   The command output will contain similar events:

   Events:
     Type    Reason     Age   From                                       Message
     ----    ------     ----  ----                                       -------
     Normal  Issuing    ...   cert-manager-certificates-trigger          Issuing certificate as Secret does not exist
     Normal  Generated  ...   cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource...
   

   Certificates are used bundled with related Kubernetes secrets, which store key pairs and service information. If there is no secret, the certificate is reissued automatically and a new secret is created – with a notification in the events. For more information on what can cause the reissue of a certificate, see the cert-manager documentation.

   As the certificate is being issued for the first time, it has no such related secret so far. The presence of notification events about the fact should not be considered an error.

Delete the resources you createdDelete the resources you created

Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need:

1. Delete the Managed Service for Kubernetes cluster.
2. Delete the public domain zone.
3. Delete the service account.