Skip to content

DNS TLS

Captain Dany edited this page Jun 11, 2026 · 1 revision

DNS & TLS

Current Status

  • DNS: ❌ Not configured — oscar-crm.cc does not resolve to the cluster
  • TLS: ❌ Pending — cert-manager can't issue Let's Encrypt certificate until DNS resolves
  • App: ✅ Running at node IP 159.54.137.54 (requires Host: oscar-crm.cc header)

DNS Configuration

Cloudflare Import

Use the BIND zone file at deploy/dns/oscar-crm.cc.zone to import records:

  1. Log in to Cloudflare Dashboard
  2. Select your domain (oscar-crm.cc)
  3. Go to DNSImport
  4. Upload the zone file

Required Records

Type Name Value TTL Proxy
A @ (root) 159.54.137.54 Auto DNS only (grey cloud)
A dev 159.54.137.54 Auto DNS only (grey cloud)
A staging 159.54.137.54 Auto DNS only (grey cloud)
A www 159.54.137.54 Auto DNS only (grey cloud)

Important: Use DNS only (grey cloud), not Proxied (orange cloud). The OKE node IP is not behind Cloudflare's proxy. If you enable proxy, cert-manager will see Cloudflare's IP instead of the actual node IP for HTTP-01 validation.

Verification

# After DNS propagates
dig +short oscar-crm.cc
dig +short dev.oscar-crm.cc
# Both should return: 159.54.137.54

cert-manager TLS

The cluster has cert-manager installed with two ClusterIssuers:

ClusterIssuers (deploy/cluster-issuer.yaml)

  • letsencrypt-staging — For testing (untrusted cert)
  • letsencrypt-prod — For production (trusted cert)

Both use HTTP-01 challenge via nginx ingress class.

How TLS Works

  1. Ingress created with cert-manager.io/cluster-issuer: "letsencrypt-prod" annotation
  2. cert-manager creates a Certificate resource
  3. Certificate creates an OrderChallenge
  4. Challenge creates an HTTP solver pod and temporary ingress
  5. Let's Encrypt visits http://<domain>/.well-known/acme-challenge/<token>
  6. If the response is correct, the certificate is issued

Monitoring Certificate Status

# Check certificate state
kubectl get certificate -n oscar-dev

# Check challenge state
kubectl get challenge -n oscar-dev

# Check order state  
kubectl get order -n oscar-dev

# View detailed order status
kubectl describe order -n oscar-dev

Common Issues

Issue Cause Fix
WaitingForApproval Normal — cert-manager.io auto-approves Wait a few seconds
OrderPending Challenge not yet completed Ensure DNS resolves to cluster
Challenge stays pending Let's Encrypt can't reach domain Check DNS, firewall, ingress
Certificate shows False Issuance failed Run kubectl describe certificate

Post-DNS Verification Flow

Once DNS is configured:

  1. Wait for DNS propagation (5-30 minutes)
  2. Verify DNS:
    curl -s http://dev.oscar-crm.cc/health
  3. cert-manager auto-detects the valid domain and completes HTTP-01 challenge
  4. Certificate becomes Ready:
    kubectl get certificate -n oscar-dev -w
  5. HTTPS becomes available:
    curl -s https://dev.oscar-crm.cc/health

If HTTP-01 Fails

Alternative: Switch the ClusterIssuer to DNS-01 challenge using Cloudflare API:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: admin@oscar-crm.cc
    privateKeySecretRef:
      name: letsencrypt-prod-account-key
    solvers:
      - dns01:
          cloudflare:
            apiTokenSecretRef:
              name: cloudflare-api-token
              key: api-token

But this requires a Cloudflare API token stored in a cloudflare-api-token secret.

Clone this wiki locally