DNS Challenge for Let's Encrypt® certificates
To add an option to run DNS Challenge when issuing Let's Encrypt® certificates:
If you no longer need the resources you created, delete them.
Getting started
-
Create a service account with the
dns.editor
role for the folder the domain zone will be in. -
Create an authorized key for the service account and save it to JSON file:
yc iam key create \ --service-account-name <service_account_name> \ --format json \ --output key.json
-
Register a public domain zone and delegate your domain. A Let's Encrypt® certificate will be issued for the domain in this zone after you pass the DNS-01 challenge
. -
Create security groups for the Managed Service for Kubernetes cluster and its node groups.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
-
Create a Managed Service for Kubernetes cluster and a node group in any suitable configuration. When creating them, specify the security groups prepared earlier.
-
Install kubectl
and configure it to work with the created cluster.
Create a certificate
-
Install the cert-manager app with the Yandex Cloud DNS ACME webhook plugin by following this guide.
During the installation, specify the service account and the authorized key created at the Getting started step.
-
Create a file named
certificate.yaml
:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-com namespace: default spec: secretName: example-com-secret issuerRef: # The issuer created previously name: yc-clusterissuer kind: ClusterIssuer dnsNames: - <domain_name>
-
Provide the certificate to the Managed Service for Kubernetes cluster:
kubectl apply -f certificate.yaml
Check the result
-
Check if the certificate is available:
kubectl get certificate example-com
Result:
NAME READY SECRET AGE example-com True example-com-secret 24h
The
True
status in theREADY
column means that the certificate was issued successfully. -
(Optional) Get detailed information about the certificate:
kubectl -n default describe certificate example-com
The command output will contain similar events:
Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Issuing ... cert-manager-certificates-trigger Issuing certificate as Secret does not exist Normal Generated ... cert-manager-certificates-key-manager Stored new private key in temporary Secret resource...
Certificates are used bundled with related Kubernetes secrets
, which store key pairs and service information. If there is no secret, the certificate is reissued automatically and a new secret is created – with a notification in the events. For more information on what can cause the reissue of a certificate, see the cert-manager documentation .As the certificate is being issued for the first time, it has no such related secret so far. The presence of notification events about the fact should not be considered an error.
Delete the resources you created
Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need: