Skip to main content

Changing the name servers used for ACME DNS01 challenges in cert-manager

Craig Neth
  • Updated

Overview

In some circumstances, you may need to change the list of DNS name servers used by the cert-manager component when it issues DNS01 challenges for ACME certs.  By default, cert-manager will use the recursive name servers specified in /etc/resolv.conf for these challenges, but this configuration may not always be desired.  cert-manager offers two flags that can be used to configure what DNS servers are used for these challenges: 
--dns01-recursive-nameservers
--dns01-recursive-nameservers-only

Solution

To configure these settings for cert-manager in a Konvoy 1.x installation, change your cluster.yaml as follows: 
kind: ClusterConfiguration
...
  addons: 
...
        - name: cert-manager
          enabled: true
          values: |
              cert-manager:
                extraArgs:
                - --dns01-recursive-nameservers-only
                - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
For more information on these cert-manager flags, consult the cert-manager documentation.