-
Notifications
You must be signed in to change notification settings - Fork 0
DNS TLS
Captain Dany edited this page Jun 11, 2026
·
1 revision
-
DNS: ❌ Not configured —
oscar-crm.ccdoes not resolve to the cluster - TLS: ❌ Pending — cert-manager can't issue Let's Encrypt certificate until DNS resolves
-
App: ✅ Running at node IP
159.54.137.54(requiresHost: oscar-crm.ccheader)
Use the BIND zone file at deploy/dns/oscar-crm.cc.zone to import records:
- Log in to Cloudflare Dashboard
- Select your domain (
oscar-crm.cc) - Go to DNS → Import
- Upload the zone file
| Type | Name | Value | TTL | Proxy |
|---|---|---|---|---|
| A |
@ (root) |
159.54.137.54 |
Auto | DNS only (grey cloud) |
| A | dev |
159.54.137.54 |
Auto | DNS only (grey cloud) |
| A | staging |
159.54.137.54 |
Auto | DNS only (grey cloud) |
| A | www |
159.54.137.54 |
Auto | DNS only (grey cloud) |
Important: Use DNS only (grey cloud), not Proxied (orange cloud). The OKE node IP is not behind Cloudflare's proxy. If you enable proxy, cert-manager will see Cloudflare's IP instead of the actual node IP for HTTP-01 validation.
# After DNS propagates
dig +short oscar-crm.cc
dig +short dev.oscar-crm.cc
# Both should return: 159.54.137.54The cluster has cert-manager installed with two ClusterIssuers:
-
letsencrypt-staging— For testing (untrusted cert) -
letsencrypt-prod— For production (trusted cert)
Both use HTTP-01 challenge via nginx ingress class.
- Ingress created with
cert-manager.io/cluster-issuer: "letsencrypt-prod"annotation - cert-manager creates a
Certificateresource - Certificate creates an
Order→Challenge - Challenge creates an HTTP solver pod and temporary ingress
- Let's Encrypt visits
http://<domain>/.well-known/acme-challenge/<token> - If the response is correct, the certificate is issued
# Check certificate state
kubectl get certificate -n oscar-dev
# Check challenge state
kubectl get challenge -n oscar-dev
# Check order state
kubectl get order -n oscar-dev
# View detailed order status
kubectl describe order -n oscar-dev| Issue | Cause | Fix |
|---|---|---|
WaitingForApproval |
Normal — cert-manager.io auto-approves | Wait a few seconds |
OrderPending |
Challenge not yet completed | Ensure DNS resolves to cluster |
Challenge stays pending
|
Let's Encrypt can't reach domain | Check DNS, firewall, ingress |
Certificate shows False
|
Issuance failed | Run kubectl describe certificate
|
Once DNS is configured:
- Wait for DNS propagation (5-30 minutes)
- Verify DNS:
curl -s http://dev.oscar-crm.cc/health
- cert-manager auto-detects the valid domain and completes HTTP-01 challenge
- Certificate becomes
Ready:kubectl get certificate -n oscar-dev -w
- HTTPS becomes available:
curl -s https://dev.oscar-crm.cc/health
Alternative: Switch the ClusterIssuer to DNS-01 challenge using Cloudflare API:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@oscar-crm.cc
privateKeySecretRef:
name: letsencrypt-prod-account-key
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token
key: api-tokenBut this requires a Cloudflare API token stored in a cloudflare-api-token secret.