-
-
Notifications
You must be signed in to change notification settings - Fork 589
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docu Improvement: Please don't hesitate to specify this hint into the clusterissuer/cert-manager Setup Guides #22095
Comments
Thanks for the report, next time please keep things a little shorter, at list the title. That being said: The better solution would be for iX-Systems, who make the OS, to (better) clearify what these functions do. Thats not really our job. |
ok. thank you for the response. Still, I think that this is not a very obvious issue and it could be very frustrating. On the other side, this is not only related to TrueNAS, it can also happen without it, if there is a search entry in the resolv.conf BR |
Its not limited to the charts, it affects all software and all charts trying to reach out... Actually on every system possible, this is basically Linux-101. |
Is your feature request related to a problem?
I was just not able to issue and signe a certificate, even if everything seemed to work as expected.
I have spent more than one day finding the issue and I almost gave up.
I was already filling in a new Bug Report because I was not able to see/find a relevant hint it in the logs. While writing everything I knew about the issue I found a log entry that by a search led me to the issue and the solution to it.
At some point in the past I have specified an additional Domain in 'Network->Edit Global Configuration->Additional Domains' not knowing what the consequences would be.
At the first glance, this config seems to be innocent but it is messing up the issuing of certificates by the cert manager big time!
The ?-Mark gives some hint about this but here is the clear explanation: Additional Domains will land in the /etc/resolv.conf as a search Domain.
This leads to resolving domains like "https://acme-v02.api.letsencrypt.org/directory" to the localhost (which is the websecure entrypoint of traefik) IF you have a Wildcard entry for that domain, thus the certification validations of letsencrypt fails.
I found the relevant error in the cert-manager-controller logs and it looks like this:
The simple fix was:
Describe the solution you'd like
Please specify in bold letters in the relevant guides
https://truecharts.org/charts/premium/clusterissuer/how-to/
https://truecharts.org/charts/system/cert-manager/
That 'Network->Edit Global Configuration->Additional Domains' should remain empty! Or it should at least not point to the external public FQDN or to an domain name with a wildcard in place
In other words, there should be no search-entry of a public domain.tld in the /etc/resolv.conf, that also has a *.domain.tld in place, defined in cloudflare f.i..
Otherwise the ssl certificate issuance will not work and you will not know why, until you dig deep int-o the relevant config.
Describe alternatives you've considered
the alternative would be frustrated users 😅, if it happens to be that they wrongly specified Additional search Domains.
Additional context
No response
I've read and agree with the following
The text was updated successfully, but these errors were encountered: