Cert Manager Webhook for Name.com is an ACME webhook solver for cert-manager that enables the use of DNS01 challenges with Name.com as the DNS provider, via the Name.com API.
- go
>= 1.13.0 - helm
>= v3.0.0installed on your computer - kubernetes
>= v1.14.0(>=v1.19recommended) - cert-manager
>= 0.12.0installed on the cluster - A Name.com account with a Name.com v4 Production API token
- A valid domain registered and configured with Name.com's default nameservers
Use a local checkout of this repository and install the webhook with Helm:
helm install --namespace cert-manager cert-manager-webhook-namecom ./deploy/cert-manager-webhook-namecom/
🔔 Note: The webhook should be deployed into the same namespace as
cert-manager. If you changed that, you should update thecertManager.namespacevalue in the deploy template file,values.yaml, before installation.
You can also remove the webhook using Helm:
helm uninstall --namespace cert-manager cert-manager-webhook-namecom
Create a Kubernetes Secret to store the value of your Name.com API token:
kubectl create secret generic namedotcom-credentials --from-literal=api-token=<your API token> --namespace cert-manager
💡 Note: The secret should also be in the same namespace as
cert-manager. If you change the name of the secret or key, don't forget to use those values in the Issuer below.
Define a cert-manager Issuer (or ClusterIssuer) resource that uses the webhook as the solver. Create a file called, e.g. cert-issuer.yml, and use the following content as the template:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-namecom
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
# For production use this URL instead:
# server: https://acme-v02.api.letsencrypt.org/directory
email: <[email protected]>
privateKeySecretRef:
name: letsencrypt-account-key
solvers:
- dns01:
webhook:
groupName: acme.name.com
solverName: namedotcom
config:
username: <your Name.com username>
apitokensecret:
name: namedotcom-credentials
key: api-token
💡 Note: The
configkey for the webhook defines your Name.com API credentials—theapitokensecret.nameandapitokensecret.keyvalues must match those for your secret, above.
Apply the file to your cluster to create the resource:
kubectl apply -f cert-issuer.yaml
🔔Note: If you defined an
Issuerrather than aClusterIssuer, you should create it in the same namespace ascert-manager.
Create a certificate by defining a cert-manager Certificate resource and applying it to your cluster:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-com
spec:
dnsNames:
- test.example.com
issuerRef:
name: letsencrypt-namecom
kind: ClusterIssuer
secretName: example-cert
💡 Note: If you defined an
Issuerrather than aClusterIssuer, you can omit theissuerRef.kindkey.
kubectl apply -f example-cert.yml
After allowing a short period for the challenge, order and issuing process to complete, the certificate should be available for use: 🥳
$ kubectl get certificate example-com
NAME READY SECRET AGE
example-com True example-com-cert 1m12sAll DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.
✔️ It is essential that you configure and run the test suite when creating a DNS01 webhook.
Before running the test suite, you must supply valid credentials for the Name.com API. See the test data README for more information.
You can run the test suite with:
TEST_ZONE_NAME=example.com. make test🔔 Note:
example.commust also be a domain registered to your Name.com and configured with Name.com's default nameservers so that DNS records can be managed via Name.com DNS.