Changing the issuer (from HTTP01 to DNS01 ACME verification) of a certificate in cert-manager

Silvian Cretu

1/14/24, 5:01 PM

I have a certificate managed by cert-manager, on a Kubernetes cluster. It used to be renewed/validated via a HTTP01 ACME challenge but, because of security constraints (a firewall), that's not possible any more. I have to switch to a DNS01 ACME challenge (Cloudflare).

I think I have to change the Issuer from letsencrypt-prod to letsencrypt-prod-cloudflare which I created for this... but I can't. I tried with kubectl patch with and kubectl edit with no success:

Before:

$ kubectl get certificates.cert-manager.io tls-certificate -o=jsonpath='{.spec.issuerRef}' | jq
{
  "group": "cert-manager.io",
  "kind": "ClusterIssuer",
  "name": "letsencrypt-prod"
}

Trying to patch:

$ kubectl patch certificates.cert-manager.io tls-certificate -p '{"spec":{"issuerRef":{"name":"letsencrypt-prod-cloudflare"}}}'
Error from server (UnsupportedMediaType): the body of the request was in an unknown format - accepted media types include: application/json-patch+json, application/merge-patch+json, application/apply-patch+yaml

Editing seems not to fail:

$ kubectl edit certificates.cert-manager.io tls-certificate 
certificate.cert-manager.io/tls-certificate edited

... but the certificate still hasn't changed:

$ kubectl get certificates.cert-manager.io tls-certificate -o=jsonpath='{.spec.issuerRef}' | jq
{
  "group": "cert-manager.io",
  "kind": "ClusterIssuer",
  "name": "letsencrypt-prod"
}

So... any idea on how to switch from HTTP01 to DNS01? Thanks!

239

1 + 2

cloudflare

kubernetes

lets-encrypt

cert-manager

Manish Bavireddy

1/18/24, 2:49 PM

To switch a certificate's issuer in cert-manager from HTTP01 to DNS01 ACME verification, you will need to modify the ACME Issuer and specify the DNS01 provider configuration on the Issuer resource. In the Solvers configuration, you can also specify which challenge type HTTP01 or DNS01 should be used for the certificate. Following these modifications, you will be able to submit a Certificate request with the updated issuer, and the DNS01 challenge will be used for verification. Please refer to this [documentation](https://cert-manager.io/docs/configuration/acme/dns01/) for more details.

Silvian Cretu

1/19/24, 4:37 PM

Hmm... interesting... so what you suggest is not editing the certificate, but, instead, editing the ClusterIssuer... I did re-create the certificate with a minimum downtime (a few seconds). I'll post the answer here

Score:0

Server

Silvian Cretu

1/19/24, 4:39 PM

I ended up re-creating the certificate. In order to minimise the downtime, I did it like this:

export BACKUP_PATH=/some/path/on/your/computer/
# we assume the secret and the certificate have the same resource name, `tls-certificate` in this case
export CERT=tls-certificate

kubectl get certificates.cert-manager.io $CERT -o yaml > $BACKUP_PATH/$CERT-certificate.yaml
kubectl get secrets $CERT -o yaml > $BACKUP_PATH/$CERT-secret.yaml

cp $BACKUP_PATH/$CERT-certificate.yaml $BACKUP_PATH/$CERT-certificate.bak
vim $BACKUP_PATH/$CERT-certificate.yaml

(change the ClusterIssuer to the DNS01 one; clean up...)

kubectl delete certificates.cert-manager.io $CERT
kubectl delete secret $CERT

kubectl apply -f $BACKUP_PATH/$CERT-certificate.yaml

and it worked!

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Changing the issuer (from HTTP01 to DNS01 ACME verification) of a certificate in cert-manager

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.