DNS01 Challenge Provider

The ACME issuer can also contain DNS provider configuration, which can be used by Certificates using this Issuer in order to validate DNS01 challenge requests:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
apiVersion: certmanager.k8s.io
kind: Issuer
metadata:
  name: example-issuer
spec:
  acme:
    email: user@example.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: example-issuer-account-key
    dns01:
      providers:
      - name: prod-clouddns
        clouddns:
          serviceAccountSecretRef:
            name: prod-clouddns-svc-acct-secret
            key: service-account.json

Each issuer can specify multiple different DNS01 challenge providers, and it is also possible to have multiple instances of the same DNS provider on a single Issuer (e.g. two clouddns accounts could be set, each with their own name).

Supported DNS01 providers

A number of different DNS providers are supported for the ACME issuer. Below is a listing of them all, with an example block of configuration:

Google CloudDNS

clouddns:
  serviceAccountSecretRef:
    name: prod-clouddns-svc-acct-secret
    key: service-account.json

Amazon Route53

route53:
  region: eu-west-1

  # optional if ambient credentials are available; see ambient credentials documentation
  accessKeyID: AKIAIOSFODNN7EXAMPLE
  secretAccessKeySecretRef:
    name: prod-route53-credentials-secret
    key: secret-access-key

Cert-manager requires the following IAM policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "route53:GetChange",
            "Resource": "arn:aws:route53:::change/*"
        },
        {
            "Effect": "Allow",
            "Action": "route53:ChangeResourceRecordSets",
            "Resource": "arn:aws:route53:::hostedzone/*"
        },
        {
            "Effect": "Allow",
            "Action": "route53:ListHostedZonesByName",
            "Resource": "arn:aws:route53:::hostedzone/*"
        }
    ]
}

The route53:ListHostedZonesByName statement can be removed if you specify the optional hosted zone ID (spec.acme.dns01.providers[].hostedZoneID) on the Issuer resource. You can further tighten this policy by limiting the hosted zone that cert-manager has access to (replace arn:aws:route53:::hostedzone/* with arn:aws:route53:::hostedzone/DIKER8JPL21PSA, for instance).

Cloudflare

cloudflare:
  email: my-cloudflare-acc@example.com
  apiKeySecretRef:
    name: cloudflare-api-key-secret
    key: api-key

Akamai FastDNS

akamai:
  serviceConsumerDomain: akab-tho6xie2aiteip8p-poith5aej0ughaba.luna.akamaiapis.net
  clientTokenSecretRef:
    name: akamai-dns
    key: clientToken
  clientSecretSecretRef:
    name: akamai-dns
    key: clientSecret
  accessTokenSecretRef:
    name: akamai-dns
    key: accessToken