HTTP01
📌 This page focuses on solving ACME HTTP-01 challenges. If you are looking for how to automatically create Certificate resources by annotating Ingress or Gateway resources, see Securing Ingress Resources and Securing Gateway Resources.
cert-manager uses your existing Ingress or Gateway configuration in order to solve HTTP01 challenges.
Configuring the HTTP01 Ingress solver
This page contains details on the different options available on the Issuer
resource's HTTP01 challenge solver configuration. For more information on
configuring ACME issuers and their API format, read the ACME Issuers
documentation.
You can read about how the HTTP01 challenge type works on the Let's Encrypt challenge types page.
Here is an example of a simple HTTP01
ACME issuer with more options for
configuration below:
apiVersion: cert-manager.io/v1kind: Issuermetadata:name: example-issuerspec:acme:server: https://acme-staging-v02.api.letsencrypt.org/directoryprivateKeySecretRef:name: example-issuer-account-keysolvers:- http01:ingress:class: nginx
Options
The HTTP01 Issuer supports a number of additional options. For full details on the range of options available, read the reference documentation.
class
If the class
field is specified, cert-manager will create new Ingress
resources in order to route traffic to the acmesolver
pods, which are
responsible for responding to ACME challenge validation requests.
If this field is not specified, and name
is also not specified,
cert-manager will default to create new Ingress
resources but will not
set the ingress class on these resources, meaning all ingress controllers
installed in your cluster will serve traffic for the challenge solver,
potentially incurring additional cost.
name
If the name
field is specified, cert-manager will edit the named
ingress resource in order to solve HTTP01 challenges.
This is useful for compatibility with ingress controllers such as ingress-gce
,
which utilize a unique IP address for each Ingress
resource created.
This mode should be avoided when using ingress controllers that expose a single IP for all ingress resources, as it can create compatibility problems with certain ingress-controller specific annotations.
serviceType
In rare cases it might be not possible/desired to use NodePort
as type for the
HTTP01 challenge response service, e.g. because of Kubernetes limit
restrictions. To define which Kubernetes service type to use during challenge
response specify the following HTTP01 configuration:
http01:ingress:# Valid values are ClusterIP and NodePortserviceType: ClusterIP
By default, type NodePort
will be used when you don't set HTTP01 or when you set
serviceType
to an empty string. Normally there's no need to change this.
podTemplate
You may wish to change or add to the labels and annotations of solver pods.
These can be configured under the metadata
field under podTemplate
.
Similarly, you can set the nodeSelector
, tolerations and affinity of solver
pods by configuring under the spec
field of the podTemplate
. No other
spec fields can be edited.
An example of how you could configure the template is as so:
apiVersion: cert-manager.io/v1kind: Issuermetadata:name: ...spec:acme:server: ...privateKeySecretRef:name: ...solvers:- http01:ingress:podTemplate:metadata:labels:foo: "bar"env: "prod"spec:nodeSelector:bar: baz
The added labels and annotations will merge on top of the cert-manager defaults, overriding entries with the same key.
No other fields of the podTemplate
exist.
ingressTemplate
It is possible to add labels and annotations to the solver ingress resources.
It can be really useful when you are managing several Ingress Controllers across your cluster and you want to make sure that the right one will pick up and expose the solver (for the upcoming challenge to resolve).
These can be configured under the metadata
field under ingressTemplate
:
apiVersion: cert-manager.io/v1kind: Issuermetadata:name: ...spec:acme:server: ...privateKeySecretRef:name: ...solvers:- http01:ingress:ingressTemplate:metadata:labels:foo: "bar"annotations:"nginx.ingress.kubernetes.io/whitelist-source-range": "0.0.0.0/0,::/0""nginx.org/mergeable-ingress-type": "minion""traefik.ingress.kubernetes.io/frontend-entry-points": "http"
The added labels and annotations will merge on top of the cert-manager defaults, overriding entries with the same key.
No other fields of the ingress can be edited.
Configuring the HTTP-01 Gateway API solver
FEATURE STATE: cert-manager 1.5 [alpha]
The Gateway and HTTPRoute resources are part of the Gateway API, a set of CRDs that you install on your Kubernetes cluster that provide various improvements over the Ingress API.
📌 This feature requires the installation of the Gateway API CRDs and passing a feature flag to the cert-manager controller.
To install the Gateway API CRDs, run the following command:
kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.4.1" | kubectl apply -f -
To enable the feature in cert-manager, turn on the GatewayAPI
feature gate:
-
If you are using Helm:
helm upgrade --install cert-manager jetstack/cert-manager --namespace cert-manager \--set "extraArgs={--feature-gates=ExperimentalGatewayAPISupport=true}" -
If you are using the raw cert-manager manifests, add the following flag to the cert-manager controller Deployment:
args:- --feature-gates=ExperimentalGatewayAPISupport=true
The Gateway API CRDs should either be installed before cert-manager starts or the cert-manager Deployment should be restarted after installing the Gateway API CRDs. This is important because some of the cert-manager components only perform the Gateway API check on startup. You can restart cert-manager with the following command:
kubectl rollout restart deployment cert-manager -n cert-manager
🚧 Since cert-manager 1.8, v1alpha2 is the only supported version of the Gateway API. The version v1alpha1 was supported in cert-manager 1.5, 1.6, and 1.7.
You can read Upgrading from v1.7 to v1.8 to know more about
migrating your Issuer and ClusterIssuer resources that use gatewayHTTPRoute
from v1alpha1 to v1alpha2.
The Gateway API HTTPRoute HTTP-01 solver creates a temporary HTTPRoute using the given labels. These labels must match a Gateway that contains a listener on port 80.
Here is an example of a HTTP-01 ACME Issuer using the Gateway API:
apiVersion: cert-manager.io/v1kind: Issuermetadata:name: letsencryptnamespace: defaultspec:acme:solvers:- http01:gatewayHTTPRoute:parentRefs:- name: traefiknamespace: traefikkind: Gateway
The Issuer relies on an existing Gateway present on the cluster. cert-manager does not edit Gateway resources.
For example, the following Gateway will allow the Issuer to solve the challenge:
apiVersion: gateway.networking.k8s.io/v1alpha2kind: Gatewaymetadata:name: traefiknamespace: traefikspec:gatewayClassName: traefiklisteners:- name: httpprotocol: HTTPport: 80allowedRoutes:namespaces:from: All
In the above example, the Gateway has been specifically created for the purpose of solving HTTP-01 challenges, but you can also choose to re-use your existing Gateway, as long as it has a listener on port 80.
The labels
on your Issuer may reference a Gateway that is on a separate
namespace, as long as the Gateway's port 80 listener is configured with from: All
. Note that the Certificate will still be created on the same namespace as
the Issuer, which means that you won't be able to reference this Secret in the
above-mentioned Gateway.
When the above Issuer is presented with a Certificate, cert-manager creates the temporary HTTPRoute. For example, with the following Certificate:
apiVersion: cert-manager.io/v1kind: Certificatemetadata:name: example-tlsnamespace: defaultspec:issuerRef:name: letsencryptdnsNames:- example.net
You will see an HTTPRoute appear:
kind: HTTPRoutemetadata:name: cm-acme-http-solver-gdhvgnamespace: defaultspec:parentRefs:- name: traefiknamespace: traefikkind: Gatewayhostnames:- example.netrules:- forwardTo:- port: 8089serviceName: cm-acme-http-solver-gdhvgweight: 1matches:- path:type: Exactvalue: /.well-known/acme-challenge/YadC4gaAzqEPU1Yea0D2MrzvNRWiBCtUizCtpiRQZqI
After the Certificate is issued, the HTTPRoute is deleted.
labels
These labels are copied into the temporary HTTPRoute created by cert-manager for solving the HTTP-01 challenge. These labels must match one of the Gateway resources on your cluster. The matched Gateway have a listener on port 80.
Note that when the labels do not match any Gateway on your cluster, cert-manager will create the temporary HTTPRoute challenge and nothing will happen.
serviceType
This field has the same meaning as the
http01.ingress.serviceType
.
Setting Nameservers for HTTP-01 solver propagation checks
cert-manager will perform reachability tests before attempting a HTT01
challenge. By default cert-manager will use the recursive nameservers taken
from /etc/resolv.conf
to query the challenge URL.
If this is not desired (for example with split-horizon DNS), the cert-manager controller exposes a flag that allows you alter this behavior:
--acme-http01-solver-nameservers
Comma separated string with host and port of the
recursive nameservers cert-manager should query.
Example usage:
--acme-http01-solver-nameservers="8.8.8.8:53,1.1.1.1:53"
If you're using the cert-manager
helm chart, you can set recursive nameservers
through .Values.extraArgs
or at the command at helm install/upgrade time
with --set
:
--set 'extraArgs={--acme-http01-solver-nameservers=8.8.8.8:53\,1.1.1.1:53}'