Creating an ACME resolver webhook for responses to DNS01 challenges

Written by

Updated at February 24, 2026

Getting started
- Required paid resources
Set up your environment
Prepare your Managed Service for Kubernetes cluster
Install and run a webhook in a Managed Service for Kubernetes cluster
Test the webhook
- Prepare configuration files
- Issue a certificate using the webhook
Delete the resources you created

Install the cert-manager application with the DNS01 webhook resolver to automatically pass domain ownership checks for domains registered in Yandex Cloud DNS.

To run a webhook in a Managed Service for Kubernetes cluster:

Note

The certificate manager with the ACME webhook for Yandex Cloud DNS supports Wildcard certificates.

Getting started

Navigate to the management console and log in to Yandex Cloud or create a new account.
On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

Required paid resources

The support cost for this solution includes:

Fee for using the master and outgoing traffic in a Managed Service for Kubernetes cluster (see Managed Service for Kubernetes pricing).
Fee for using computing resources, OS, and storage in cluster nodes (VMs) (see Compute Cloud pricing).
Fee for a public IP address for the cluster nodes (see Virtual Private Cloud pricing).

Set up your environment

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
Install kubectl, which is the command line interface for Kubernetes.
Make sure you have enough resources available in the cloud.
If you do not have a network yet, create one.
If you do not have any subnets yet, create them in the availability zones where the new Managed Service for Kubernetes cluster and node group will reside.
Create these service accounts:
- sa-kubernetes with the following roles:
  - k8s.clusters.agent and vpc.publicAdmin for the folder where you will create the Managed Service for Kubernetes cluster.
  - container-registry.images.puller for the folder containing a Docker image registry.
  This service account will be used to create the resources your cluster needs, and Managed Service for Kubernetes nodes will pull the required Docker images from the registry.
- sa-dns-editor with the dns.editor role for the folder containing the public zone. This service account will be used to create DNS resource records.
Create security groups for the Managed Service for Kubernetes cluster and its node groups.

Warning

The configuration of security groups determines performance and availability of the cluster and the services and applications running in it.
Add the following rules to your security groups:
- Add to the cluster security group an outbound traffic rule allowing certificate checks via a cert-manager webhook:
  - Port range: 10250.
  - Protocol: TCP.
  - Destination name: CIDR.
  - CIDR blocks: 0.0.0.0/0.
- Add to the node group security group an outbound traffic rule allowing connection to Let's Encrypt® servers for certificates:
  - Port range: 443.
  - Protocol: TCP.
  - Destination name: CIDR.
  - CIDR blocks: 0.0.0.0/0.

Prepare your Managed Service for Kubernetes cluster

Create a Managed Service for Kubernetes cluster

Management console

In the management console, select the folder where you want to create a Managed Service for Kubernetes cluster.
Select Managed Service for Kubernetes.
Click Create cluster.
Enter the name for the cluster: kubernetes-cluster-wh.
Service account for resources: Specify the sa-kubernetes service account that will be used to create resources.
Service account for nodes: Specify the sa-kubernetes service account the Managed Service for Kubernetes nodes will use to access the Docker image registry.
Specify the release channel. You will not be able to edit this setting once you create the Managed Service for Kubernetes cluster.
Under Master configuration:
- Kubernetes version: Select the Kubernetes version to install on the Managed Service for Kubernetes master. It must match the Kubernetes command line version.
- Public address: Select the IP address assignment method:
  - Auto: Assign a random IP address from the Yandex Cloud IP address pool.
- Type of master: Select the master type:
  - Basic: To create a single master host in the selected availability zone. Specify the cloud network and select the subnet for the master host.
  - Highly available: To create a single master host in each availability zone. Specify the cloud network and subnet for each availability zone.
- Select security groups for the Managed Service for Kubernetes cluster's network traffic.
Under Cluster network settings:
- CIDR cluster: Specify the IP address range to allocate addresses to pods from.
- CIDR services: Specify the IP address range to allocate IP addresses to services from.
- Set the subnet mask for the Managed Service for Kubernetes nodes and the maximum number of pods per node.
Click Create.
Wait until the cluster status switches to Running and its state, to Healthy.

Add credentials to the kubectl configuration file

CLI

Run this command:
```
yc managed-kubernetes cluster get-credentials kubernetes-cluster-wh --external
```
By default, credentials are added to the $HOME/.kube/config directory. If you need to change the configuration location, use the --kubeconfig <file_path> parameter.

Check the kubectl configuration after adding the credentials:

kubectl config view

Result:

apiVersion: v1
clusters:
  - cluster:
    certificate-authority-data: DATA+OMITTED
...

Create a node group

Management console

In the management console, select the folder where you created the required Managed Service for Kubernetes cluster.
From the list of services, select Managed Service for Kubernetes.
Select kubernetes-cluster-wh.
On the cluster page, navigate to the Node manager tab.
Click Create a node group.
Enter a name and description for the Managed Service for Kubernetes node group.
In the Kubernetes version field, select the Kubernetes version for the Managed Service for Kubernetes nodes.
Under Scaling, select its type:
- Fixed, to keep a fixed number of nodes in the Managed Service for Kubernetes group. Specify the number of nodes in the Managed Service for Kubernetes group.
- Automatic, to manage the number of nodes in the Managed Service for Kubernetes group using Managed Service for Kubernetes cluster autoscaling.
Under Changes during creation and updates, specify the maximum number of VMs by which you can exceed or reduce the Managed Service for Kubernetes group size.
Under Computing resources:
- Select a platform.
- Specify the required number of vCPUs, guaranteed vCPU performance, and the amount of RAM.
Under Storage:
- Specify the Disk type for the Managed Service for Kubernetes group nodes:
  - HDD: Standard network drive; HDD network block storage.
  - SSD: Fast network drive; SSD network block storage.
  - Non-replicated SSD: Network drive with enhanced performance achieved by eliminating redundancy. You can only change the size of this disk type in 93 GB increments.
  - SSD IO: Network drive with the same performance specifications as Non-replicated SSD, plus redundancy. You can only change the size of this disk type in 93 GB increments.
  For more information about disk types, see this Yandex Compute Cloud guide.
- Specify the disk size for the Managed Service for Kubernetes group nodes.
Under Network settings:
- In the Public address field, select an IP address assignment method:
  - Auto: Assign a random IP address from the Yandex Cloud IP address pool.
- Select security groups.
- Select the availability zone and subnet to place the Managed Service for Kubernetes group nodes in.
Under Access, specify the access credentials for the Managed Service for Kubernetes group nodes over SSH:
- Login: Enter the username.
- SSH key: Paste the contents of the public key file.
Click Create.
Wait until the node group status switches to Running.

Install and run a webhook in a Managed Service for Kubernetes cluster

Clone the webhook repository with the certificate manager configured to issue Let's Encrypt certificates:
```
git clone https://github.com/yandex-cloud/cert-manager-webhook-yandex.git
```
Install Helm to manage packages in your Kubernetes cluster.

Install the webhook using Helm:

helm install \
  --namespace cert-manager \
  --create-namespace \
  yandex-webhook ./cert-manager-webhook-yandex/deploy/cert-manager-webhook-yandex

Make sure the webhook is running:

kubectl get pods -n cert-manager --watch

Make sure the records contain the ACME webhook for Yandex Cloud DNS:

NAME                                                          READY   STATUS    RESTARTS   AGE
... 
yandex-webhook-cert-manager-webhook-yandex-55********-tw4mq   1/1     Running   1          43m

Test the webhook

Prepare configuration files

Create an authorized key for the sa-dns-editor service account and save it to the iamkey.json file:

yc iam key create iamkey \
  --service-account-id=<service_account_ID> \
  --format=json \
  --output=iamkey.json

Create a secret with the service account key:

kubectl create secret generic cert-manager-secret --from-file=iamkey.json -n cert-manager

Create the cluster-issuer.yml file with the ClusterIssuer object manifest that uses the DNS01 webhook resolver for the Cloud DNS domain:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
 name: clusterissuer
 namespace: default
spec:
 acme:
  email: <email_address_for_notifications_from_Lets_Encrypt>
  server: https://acme-v02.api.letsencrypt.org/directory
  privateKeySecretRef:
   name: secret-ref
  solvers:
   - dns01:
      webhook:
        config:
          folder: <ID_of_folder_with_public_zone>
          serviceAccountSecretRef:
            name: cert-manager-secret
            key: iamkey.json
        groupName: acme.cloud.yandex.com
        solverName: yandex-cloud-dns

Create the cluster-certificate.yml file with the Certificate object manifest:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
 name: your-site
 namespace: default
spec:
 secretName: your-site-secret
 issuerRef:
  name: clusterissuer
  kind: ClusterIssuer
 dnsNames:
   - <domain_name>

Issue a certificate using the webhook

Create the objects in the Kubernetes cluster:

kubectl apply -f cluster-issuer.yml && \
kubectl apply -f cluster-certificate.yml

Check the certificate status:
```
kubectl get certificate
```
Result:
```
NAME        READY  SECRET            AGE
your-site   True   your-site-secret  45m
```
The True status in the READY column means that the certificate was issued successfully.

Delete the resources you created

If you no longer need the resources you created, delete the Managed Service for Kubernetes cluster.

Creating an ACME resolver webhook for responses to DNS01 challenges

Getting startedGetting started

Required paid resourcesRequired paid resources

Set up your environmentSet up your environment

Prepare your Managed Service for Kubernetes clusterPrepare your Managed Service for Kubernetes cluster

Create a Managed Service for Kubernetes clusterCreate a Managed Service for Kubernetes cluster

Add credentials to the kubectl configuration fileAdd credentials to the kubectl configuration file

Create a node groupCreate a node group

Install and run a webhook in a Managed Service for Kubernetes clusterInstall and run a webhook in a Managed Service for Kubernetes cluster

Test the webhookTest the webhook

Prepare configuration filesPrepare configuration files

Issue a certificate using the webhookIssue a certificate using the webhook

Delete the resources you createdDelete the resources you created

Was the article helpful?