DNS challenge for Let's Encrypt® certificates
To add a DNS challenge when issuing Let's Encrypt® certificates:
If you no longer need the resources you created, delete them.
Required paid resources
The support cost for this solution includes:
- Fee for using the master and outgoing traffic in a Managed Service for Kubernetes cluster (see Managed Service for Kubernetes pricing).
- Fee for using computing resources, OS, and storage in cluster nodes (VMs) (see Compute Cloud pricing).
- Fee for a public IP address assigned to cluster nodes (see Virtual Private Cloud pricing).
- Fee for a DNS zone and DNS requests (see Cloud DNS pricing).
Getting started
-
Create a service account with the
dns.editorrole for the folder that will contain the domain zone. -
Create an authorized key for the service account and save it to a JSON file:
yc iam key create \ --service-account-name <service_account_name> \ --format json \ --output key.json -
Register a public domain zone and delegate your domain. A Let's Encrypt® certificate will be issued for the domain in this zone after you pass the DNS-01 challenge.
-
Create security groups for the Managed Service for Kubernetes cluster and its node groups.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
-
Add the following rules to the security group applied to the node group:
- Rule for inbound traffic to allow certificate checking via a cert-manager webhook:
- Port range:
10250. - Protocol:
TCP. - Destination name:
CIDR. - CIDR blocks:
0.0.0.0/0.
- Port range:
- Rule for outbound traffic to allow connection to Let's Encrypt® servers for issuing certificates:
- Port range:
443. - Protocol:
TCP. - Destination name:
CIDR. - CIDR blocks:
0.0.0.0/0.
- Port range:
- Rule for inbound traffic to allow certificate checking via a cert-manager webhook:
-
Create a Managed Service for Kubernetes cluster and node group with any suitable configuration. When creating, specify the preconfigured security groups.
-
Install kubect and configure it to work with the new cluster.
Create a certificate
-
Install
cert-managerwith the Yandex Cloud DNS ACME webhook plugin by following this guide.During the installation, specify the service account and the authorized key you created when getting started.
-
Create a file named
certificate.yaml:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-com namespace: default spec: secretName: example-com-secret issuerRef: # The issuer created previously name: yc-clusterissuer kind: ClusterIssuer dnsNames: - <domain_name> -
Apply the certificate to your Managed Service for Kubernetes cluster:
kubectl apply -f certificate.yaml
Check the result
-
Check the certificate status:
kubectl get certificate example-comResult:
NAME READY SECRET AGE example-com True example-com-secret 24hThe
Truestatus in theREADYcolumn means that the certificate was issued successfully. -
Optionally, get detailed information about the certificate:
kubectl -n default describe certificate example-comThe command output will contain similar events:
Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Issuing ... cert-manager-certificates-trigger Issuing certificate as Secret does not exist Normal Generated ... cert-manager-certificates-key-manager Stored new private key in temporary Secret resource...Certificates are used bundled with related Kubernetes secrets, which store key pairs and service information. If there is no secret, the certificate is reissued automatically and a new secret is created – with a notification in the events. For more information on what can cause the reissue of a certificate, see the cert-manager documentation.
As the certificate is being issued for the first time, it has no such related secret so far. The presence of notification events about the fact should not be considered an error.
Delete the resources you created
Some resources are not free of charge. Delete the resources you no longer need to avoid paying for them: