Add user-guide for creating an ACME Issuer using DNS validation

2017-10-20 11:37:02 +01:00 · 2017-10-20 11:37:02 +01:00 · 2edd887c4b
commit 2edd887c4b
parent c70e0ed33e
4 changed files with 52 additions and 37 deletions
--- a/docs/README.md
+++ b/docs/README.md
@ -15,7 +15,7 @@ It is split into these three sections for easier navigation.
 * [Creating a simple CA based issuer](user-guides/ca-based-issuer.md)
 * Creating cluster wide issuers
 * [Issuing an ACME certificate using HTTP validation](user-guides/acme-http-validation.md)
-* Issuing an ACME certificate using DNS validation
+* [Issuing an ACME certificate using DNS validation](user-guides/acme-dns-validation.md)

 ## Developer docs

--- a/docs/examples/acme-issuer.yaml
+++ b/docs/examples/acme-issuer.yaml
@ -28,7 +28,7 @@ spec:
      - name: cf-dns
        cloudflare:
          email: user@example.com
-          # A secretKeyRef to a the google cloud json service account
+          # A secretKeyRef to a cloudflare api key
          apiKeySecretRef:
            name: cloudflare-api-key
            key: api-key.txt
--- a/docs/user-guides/README.md
+++ b/docs/user-guides/README.md
@ -1,10 +1,8 @@
 # User guides

-This section of the documentation contains a list of use-case focused tutorials on using `cert-manager`
-
-# Tutorials
+This section of the documentation contains a list of use-case focused user guides on using `cert-manager`

 * [Creating a simple CA based issuer](ca-based-issuer.md)
 * Creating cluster wide issuers
 * [Issuing an ACME certificate using HTTP validation](acme-http-validation.md)
-* Issuing an ACME certificate using DNS validation
+* [Issuing an ACME certificate using DNS validation](acme-dns-validation.md)
--- a/docs/user-guides/acme-dns-validation.md
+++ b/docs/user-guides/acme-dns-validation.md
@ -1,8 +1,8 @@
 # Issuing an ACME certificate using DNS validation

-`cert-manager` can be used to obtain certificates from a CA using the [ACME][1] protocol. The ACME protocol supports various challenges which are used to prove ownership of a domain so that a valid certificate can be issued for that domain. One such challenge is `dns-01`. With the DNS challenge, you prove you own the DNS records of the domain by creating a TXT record with specific content.
+cert-manager can be used to obtain certificates from a CA using the [ACME][1] protocol. The ACME protocol supports various challenge mechanisms which are used to prove ownership of a domain so that a valid certificate can be issued for that domain. One such challenge mechanism is DNS-01. With a DNS-01 challenge, you prove ownership of a domain by proving you control its DNS records. This is done by creating a TXT record with specific content.

-The following `Issuer` defines the necessary information to enable DNS validation. You can read more about the `Issuer` resource [here][5].
+The following `Issuer` defines the necessary information to enable DNS validation. You can read more about the `Issuer` resource [here][2].

 ```yaml
 apiVersion: certmanager.k8s.io/v1alpha1
@ -19,13 +19,13 @@ spec:
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging
-    # ACME dns-01 provider configurations
+    # ACME DNS-01 provider configurations
    dns01:
      # Here we define a list of DNS-01 providers that can solve DNS challenges
      providers:
      - name: prod-dns
        clouddns:
-          # A secretKeyRef to a the google cloud json service account
+          # A secretKeyRef to a google cloud json service account
          serviceAccountSecretRef:
            name: clouddns-service-account
            key: service-account.json
@ -34,17 +34,17 @@ spec:
      - name: cf-dns
        cloudflare:
          email: user@example.com
-          # A secretKeyRef to a the google cloud json service account
+          # A secretKeyRef to a cloudflare api key
          apiKeySecretRef:
            name: cloudflare-api-key
            key: api-key.txt
 ```

-We have specified the ACME server URL for Let's Encrypt's [staging environment][2]. The staging environment will not issue trusted certificates but is used to ensure that the verification process is working properly before moving to production. Let's Encrypt's production environment imposes much stricter [rate limits][3], so to reduce the chance of you hitting those limits it is highly recommended to start by using the staging environment. To move to production simply change the URL to `https://acme-v01.api.letsencrypt.org/directory`.
+We have specified the ACME server URL for Let's Encrypt's [staging environment][3]. The staging environment will not issue trusted certificates but is used to ensure that the verification process is working properly before moving to production. Let's Encrypt's production environment imposes much stricter [rate limits][4], so to reduce the chance of you hitting those limits it is highly recommended to start by using the staging environment. To move to production, simply create a new `Issuer` with the URL set to `https://acme-v01.api.letsencrypt.org/directory`.

-The first stage of ACME is for the client to register with the ACME server. This phase includes generating an asymmetric key pair which is then associated with the email address specified in the `Issuer`. Depending on the CA, this could be used to send expiry notices when your certificates are coming up for renewal. The generated private key is stored in a `Secret` called `letsencrypt-staging`.
+The first stage of the ACME protocol is for the client to register with the ACME server. This phase includes generating an asymmetric key pair which is then associated with the email address specified in the `Issuer`. Make sure to change this email address to a valid one that you own. It is commonly used to send expiry notices when your certificates are coming up for renewal. The generated private key is stored in a `Secret` called `letsencrypt-staging`.

-The `http01` field simply enables the HTTP challenge for this `Issuer`. No further configuration is necessary or possible.
+The `dns01` stanza contains a list of DNS-01 providers that can be used to solve DNS challenges. Our `Issuer` defines two providers. This gives us a choice of which one to use when obtaining certificates. More information about the DNS provider configuration, including a list of currently supported providers, can be found [here][5].

 Once we have created the above `Issuer` we can use it to obtain a certificate.

@ -52,44 +52,61 @@ Once we have created the above `Issuer` we can use it to obtain a certificate.
 apiVersion: certmanager.k8s.io/v1alpha1
 kind: Certificate
 metadata:
-  name: nginx-k8s-io
+  name: example-com
  namespace: default
 spec:
-  secretName: nginx-k8s-io-tls
+  secretName: example-com-tls
  issuerRef:
    name: letsencrypt-staging
-  commonName: nginx.k8s.io
+  commonName: example.com
  dnsNames:
-  - nginx2.k8s.io
-  - nginx3.k8s.io
+  - www.example.com
  acme:
    config:
-    - http01:
-        ingressClass: nginx
+    - dns01:
+        provider: clouddns
      domains:
-      - nginx.k8s.io
-    - http01:
-        ingress: my-ingress
+      - example.com
+    - dns01:
+        provider: cloudflare
      domains:
-      - nginx2.k8s.io
-      - nginx3.k8s.io
+      - www.example.com
 ```

-The `Certificate` resource describes our desired certificate and the possible methods that can be used to obtain it. You can learn more about the `Certificate` resource [here][4]. If the certificate is obtained successfully the resulting key pair will be stored in a secret called `nginx-k8s-io-tls` in the same namespace as the `Certificate`. The certificate will have a common name of `nginx.k8s.io` and the [Subject Alternative Names][6] (SANs) will be `nginx.k8s.io`, `nginx2.k8s.io` and `nginx3.k8s.io`.
+The `Certificate` resource describes our desired certificate and the possible methods that can be used to obtain it. You can learn more about the `Certificate` resource [here][7]. If the certificate is obtained successfully, the resulting key pair will be stored in a secret called `example-com-tls` in the same namespace as the `Certificate`. The certificate will have a common name of `example.com` and the [Subject Alternative Names][6] (SANs) will be `example.com` and `www.example.com`.

-In our `Certficate` we have referenced the `letsencrypt-staging` `Issuer` above. The `Issuer` must be in the same namespace as the `Certficate`. If you want to reference a `ClusterIssuer`, which is a cluster-scoped version of an `Issuer`, you must add `kind: ClusterIssuer` to the `issuerRef` stanza.
+In our `Certficate` we have referenced the `letsencrypt-staging` `Issuer` above. The `Issuer` must be in the same namespace as the `Certficate`. If you want to reference a `ClusterIssuer`, which is a cluster-scoped version of an `Issuer`, you must add `kind: ClusterIssuer` to the `issuerRef` stanza. For more information on `ClusterIssuers`, read the [Creating cluster wide Issuers][8] user guide.

-The `acme` stanza defines the configuration for our ACME challenges. Here we have defined the configuration for our HTTP challenges which will be used to validate our domains. For each domain mentioned in an `http01` stanza, `cert-manager` will create a `Pod` that exposes an HTTP endpoint that satisfies the HTTP challenge. For each `http01` stanza, `cert-manager` will create an `Ingress` resource in the same namespace as the `Certificate` with the correct rules to route incoming challenge requests to the `Pods` corresponding to the domains in that stanza. You can control the name of the `Ingress` resource by setting the `ingress` field. If an `Ingress` resource with that name already exists, `cert-manager` will modify it with the correct rules. 
+The `acme` stanza defines the configuration for our ACME challenges. Here we have defined the configuration for our DNS challenges which will be used to verify domain ownership. For each domain mentioned in a `dns01` stanza, cert-manager will use the provider's credentials from the referenced `Issuer` to create a TXT record called `_acme-challenge`. This record will then be verified by the ACME server in order to issue the certificate. Once domain ownership has been verified, any cert-manager affected records will be cleaned up. Note that it is your responsibility to ensure the provider is authoritative for your domain. 

-You can also control the value of the `kubernetes.io/ingress.class` annotation by setting the `ingressClass` field. This will allow you to configure which ingress controller will actually act on these `Ingress` resources. Note that it is your responsibilty to point each domain name at the correct IP address.
+After creating the above `Certificate`, we can check whether it has been obtained successfully using `kubectl describe`:

-Once our certificate has been obtained, `cert-manager` will keep checking its validity and attempt to renew it if it gets close to expiry. `cert-manager` considers certificates to be close to expiry when the 'Not After' field on the certificate is less than the current time plus 30 days.
+```
+$ kubectl describe certificate example-com
+Events:
+  Type     Reason                 Age              From                     Message
+  ----     ------                 ----             ----                     -------
+  Warning  ErrorCheckCertificate  33s              cert-manager-controller  Error checking existing TLS certificate: secret "example-com-tls" not found
+  Normal   PrepareCertificate     33s              cert-manager-controller  Preparing certificate with issuer
+  Normal   PresentChallenge       33s              cert-manager-controller  Presenting dns-01 challenge for domain example.com
+  Normal   PresentChallenge       33s              cert-manager-controller  Presenting dns-01 challenge for domain www.example.com
+  Normal   SelfCheck              32s              cert-manager-controller  Performing self-check for domain example.com
+  Normal   SelfCheck              32s              cert-manager-controller  Performing self-check for domain www.example.com
+  Normal   ObtainAuthorization    6s               cert-manager-controller  Obtained authorization for domain example.com
+  Normal   ObtainAuthorization    6s               cert-manager-controller  Obtained authorization for domain www.example.com
+  Normal   IssueCertificate       6s               cert-manager-controller  Issuing certificate...
+  Normal   CeritifcateIssued      5s               cert-manager-controller  Certificated issued successfully
+```

-Once we delete our `Certificate` resource, any `cert-manager` affected resources will be cleaned up or deleted.
+You can also check whether issuance was successful with `kubectl get secret example-com-tls -o yaml`. You should see a base64 encoded signed TLS key pair.
+
+Once our certificate has been obtained, cert-manager will periodically check its validity and attempt to renew it if it gets close to expiry. cert-manager considers certificates to be close to expiry when the 'Not After' field on the certificate is less than the current time plus 30 days.

  [1]: https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment
-  [2]: https://letsencrypt.org/docs/staging-environment/
-  [3]: https://letsencrypt.org/docs/rate-limits/
-  [4]: ../api-types/certificate/
-  [5]: ../api-types/issuer/
-  [6]: https://en.wikipedia.org/wiki/Subject_Alternative_Name
+  [2]: ../api-types/issuer/
+  [3]: https://letsencrypt.org/docs/staging-environment/
+  [4]: https://letsencrypt.org/docs/rate-limits/
+  [5]: ../api-types/issuer/spec.md#user-content-acme-issuer-dns-provider-configuration
+  [6]: https://en.wikipedia.org/wiki/Subject_Alternative_Name
+  [7]: ../api-types/certificate/
+  [8]: cluster-issuers.md