pragkent / alidns-webhook Goto Github PK

View Code? Open in Web Editor NEW

171.0 5.0 75.0 80 KB

Cert manager acme dns01 webhook provider for alidns

Dockerfile 3.43% Makefile 2.04% Go 92.77% Shell 1.76%

cert-manager-webhook alidns alidns-provider-solver cert-manager letsencrypt

alidns-webhook's Introduction

alidns-webhook

Cert-manager ACME DNS webhook provider for alidns.

Install

Install cert manager

Please find document here: https://cert-manager.io/docs/installation/kubernetes/

Install webhook (Cert manager v0.11 and above)

Install alidns-webhook

# Install alidns-webhook to cert-manager namespace. 
kubectl apply -f https://raw.githubusercontent.com/pragkent/alidns-webhook/master/deploy/bundle.yaml

Create secret contains alidns credentials

apiVersion: v1
kind: Secret
metadata:
  name: alidns-secret
  namespace: cert-manager
data:
  access-key: YOUR_ACCESS_KEY
  secret-key: YOUR_SECRET_KEY

Example Issuer

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # Change to your letsencrypt email
    email: [email protected]
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-staging-account-key
    solvers:
    - dns01:
        webhook:
          groupName: acme.yourcompany.com
          solverName: alidns
          config:
            region: ""
            accessKeySecretRef:
              name: alidns-secret
              key: access-key
            secretKeySecretRef:
              name: alidns-secret
              key: secret-key

Issue a certificate

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: example-tls
spec:
  secretName: example-com-tls
  commonName: example.com
  dnsNames:
  - example.com
  - "*.example.com"
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer

Install webhook (Cert manager prior to v0.11)

Install alidns-webhook

# Install alidns-webhook to cert-manager namespace. 
kubectl apply -f https://raw.githubusercontent.com/pragkent/alidns-webhook/master/deploy/legacy.yaml

Create secret contains alidns credentials

apiVersion: v1
kind: Secret
metadata:
  name: alidns-secret
  namespace: cert-manager
data:
  access-key: YOUR_ACCESS_KEY
  secret-key: YOUR_SECRET_KEY

Example Issuer

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    email: [email protected]
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-staging-account-key
    solvers:
    - dns01:
        webhook:
          groupName: acme.yourcompany.com
          solverName: alidns
          config:
            region: ""
            accessKeySecretRef:
              name: alidns-secret
              key: access-key
            secretKeySecretRef:
              name: alidns-secret
              key: secret-key

Issue a certificate

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: example-tls
spec:
  secretName: example-com-tls
  commonName: example.com
  dnsNames:
  - example.com
  - "*.example.com"
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer

Development

Running the test suite

Edit testdata/alidns/alidns-secret.yaml and testdata/alidns/config.json.
Run test suites:

$ ./scripts/fetch-test-binaries.sh
$ TEST_ZONE_NAME=example.com go test .

alidns-webhook's People

Contributors

Stargazers

Watchers

Forkers

tttlkkkl daixijun kineta-jiang yab nzlov xuduofeng xpflying wangycc itering zhcsyncer yangvipguang qinhang3 washanhanzi raiscui lionelcn cn27001 lixinio recobalz jpsn123 hoseazhai himao cyancow drlike john-deng hello-linux lmq1999 alpha-supsys m-yosefpor jongwong cccc-ll suisrc timfeirg mayocream lcchris miaow-growling iuli72an thinkerw lipangeng fefit isgasho nemosdo xzzpig sweetnow flowbreeze junwsgj duanshuaixing jimorsm hejiangda banna2019 miaojuncn traktorea ktaf cita-cloud zeroisme maaiika dfdf10086 u5d60d9 scjtqs2 girirahayu rgwrgw555 0xinfinitykernel jieay wujunyi792 yangsuiyun gwind tomeling arugal dianplus lmdkfs ik8svip wangzheng422 panp1 ri0day ez2code

alidns-webhook's Issues

Install alidns-webhook fail

k8s version: v1.16.9-aliyun.1
cert-manager version: 1.1
when i do "kubectl apply -f https://raw.githubusercontent.com/pragkent/alidns-webhook/master/deploy/bundle.yaml"
some error happen like:

serviceaccount/alidns-webhook created
role.rbac.authorization.k8s.io/alidns-webhook created
rolebinding.rbac.authorization.k8s.io/alidns-webhook created
rolebinding.rbac.authorization.k8s.io/alidns-webhook:webhook-authentication-reader created
clusterrolebinding.rbac.authorization.k8s.io/alidns-webhook:auth-delegator created
clusterrole.rbac.authorization.k8s.io/alidns-webhook:domain-solver created
clusterrolebinding.rbac.authorization.k8s.io/alidns-webhook:domain-solver created
service/alidns-webhook created
deployment.apps/alidns-webhook created
apiservice.apiregistration.k8s.io/v1alpha1.acme.yourcompany.com created
unable to recognize "bundle.yaml": no matches for kind "Issuer" in version "cert-manager.io/v1"
unable to recognize "bundle.yaml": no matches for kind "Certificate" in version "cert-manager.io/v1"
unable to recognize "bundle.yaml": no matches for kind "Issuer" in version "cert-manager.io/v1"
unable to recognize "bundle.yaml": no matches for kind "Certificate" in version "cert-manager.io/v1"

Is this a bug or feature?

Install via helm with different namespace?

May I use helm to deploy the webhook in different namespace?

Any help will be appreciated

cannot create resource alidns

Unable to automatically issue a certificate, cert-manager logs:

I0609 05:41:29.444021 1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="test.hdcs.com" "domain"="test.hdcs.com" "resource_kind"="Challenge" "resource_name"="test.hdcs.com-tls-v4dmx-3061542701-758553851" "resource_namespace"="default" "resource_version"="v1" "type"="DNS-01" E0609 05:41:29.445429 1 controller.go:158] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="alidns.cert-manager.webhook.alidns is forbidden: User \"system:serviceaccount:cert-manager:cert-manager\" cannot create resource \"alidns\" in API group \"cert-manager.webhook.alidns\" at the cluster scope" "key"="default/test.hdcs.com-tls-v4dmx-3061542701-758553851"

创建报错

是不是前面还漏了什么？

Install alidns-webhook failed, no endpoints available for service "cert-manager-webhook"

Tencent, EKS

1, First, I installed cert-manager:

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.0/cert-manager.yaml

customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created
namespace/cert-manager created
serviceaccount/cert-manager-cainjector created
serviceaccount/cert-manager created
serviceaccount/cert-manager-webhook created
clusterrole.rbac.authorization.k8s.io/cert-manager-cainjector created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-issuers created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificates created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-orders created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-challenges created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
clusterrole.rbac.authorization.k8s.io/cert-manager-view created
clusterrole.rbac.authorization.k8s.io/cert-manager-edit created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created
clusterrole.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-cainjector created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-issuers created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificates created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-orders created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-challenges created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created
role.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
role.rbac.authorization.k8s.io/cert-manager:leaderelection created
role.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created
rolebinding.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
rolebinding.rbac.authorization.k8s.io/cert-manager:leaderelection created
rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created
service/cert-manager created
service/cert-manager-webhook created
deployment.apps/cert-manager-cainjector created
deployment.apps/cert-manager created
deployment.apps/cert-manager-webhook created
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created

2, Then, I tried to install alidns webhook and failed:

kubectl apply -f https://raw.githubusercontent.com/pragkent/alidns-webhook/master/deploy/bundle.yaml

serviceaccount/alidns-webhook created
role.rbac.authorization.k8s.io/alidns-webhook created
rolebinding.rbac.authorization.k8s.io/alidns-webhook created
rolebinding.rbac.authorization.k8s.io/alidns-webhook:webhook-authentication-reader created
clusterrolebinding.rbac.authorization.k8s.io/alidns-webhook:auth-delegator created
clusterrole.rbac.authorization.k8s.io/alidns-webhook:domain-solver created
clusterrolebinding.rbac.authorization.k8s.io/alidns-webhook:domain-solver created
service/alidns-webhook created
deployment.apps/alidns-webhook created
apiservice.apiregistration.k8s.io/v1alpha1.acme.yourcompany.com created
Error from server (InternalError): error when creating "https://raw.githubusercontent.com/pragkent/alidns-webhook/master/deploy/bundle.yam": Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s: no endpoints available for service "cert-manager-webhook"
Error from server (InternalError): error when creating "https://raw.githubusercontent.com/pragkent/alidns-webhook/master/deploy/bundle.yam": Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s: no endpoints available for service "cert-manager-webhook"
Error from server (InternalError): error when creating "https://raw.githubusercontent.com/pragkent/alidns-webhook/master/deploy/bundle.yam": Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s: no endpoints available for service "cert-manager-webhook"
Error from server (InternalError): error when creating "https://raw.githubusercontent.com/pragkent/alidns-webhook/master/deploy/bundle.yam": Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s: no endpoints available for service "cert-manager-webhook"

The third-level domain name wildcard certificate does not work

The third-level wildcard domain name does not work, what should I do? Is it because Let's Encrypt does not support it?

Example：

*.xxx.xxx.com

how to config 2 domain in config file

i have 2 domain.
for example,
abc.com
bcd.com

how to config this in bundle.yaml ?

alidns-webhook中定义的secret是什么

  volumes:
    - name: certs
      secret:
        secretName: alidns-webhook-webhook-tls

APIService v1alpha1.acme.xxx.com FailedDiscoveryCheck

创建 APIService 资源 v1alpha1.acme.xxx.com

status:
  conditions:
  - lastTransitionTime: "2020-08-07T03:20:36Z"
    message: 'failing or missing response from https://10.11.165.126:443/apis/acme.xxx.com/v1alpha1:
      bad status from https://10.11.165.126:443/apis/acme.xxx.com/v1alpha1:
      403'
    reason: FailedDiscoveryCheck
    status: "False"
    type: Available

进入 alidns 容器中携带上认证信息调用的情况下并无异常

/ # CA_CERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
/ # curl --cacert $CA_CERT -H "Authorization: Bearer $TOKEN" https://10.11.165.126:443/apis/acme.xxx.com/v1alpha1 -k
{
  "kind": "APIResourceList",
  "apiVersion": "v1",
  "groupVersion": "acme.xxx.com/v1alpha1",
  "resources": [
    {
      "name": "alidns",
      "singularName": "",
      "namespaced": false,
      "group": "acme.webhook.certmanager.k8s.io",
      "version": "v1alpha1",
      "kind": "ChallengePayload",
      "verbs": [
        "create"
      ]
    }
  ]
}

直接访问发现应用本身并未携带上 serviceaccount 的认证信息:

curl https://10.11.165.126:443/apis/acme.xxx.com/v1alpha1 -k
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/apis/acme.xxx.com/v1alpha1\"",
  "reason": "Forbidden",
  "details": {
    
  },
  "code": 403
}

Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.5", GitCommit:"20c265fef0741dd71a66480e35bd69f18351daea", GitTreeState:"clean", BuildDate:"2019-10-15T19:07:57Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"linux/amd64"}

Doesn't work with `K3S v1.22.2+k3s1` + `cert-manager v1.5.3`

cannot start. but it works well in lower version k3s, same config.

I1001 14:27:35.491252       1 secure_serving.go:116] Serving securely on [::]:443
E1001 14:27:35.517467       1 webhook.go:196] Failed to make webhook authorizer request: the server could not find the requested resource
E1001 14:27:35.517767       1 errors.go:77] the server could not find the requested resource
E1001 14:27:36.145336       1 webhook.go:196] Failed to make webhook authorizer request: the server could not find the requested resource
E1001 14:27:36.145415       1 errors.go:77] the server could not find the requested resource

Events:
  Type     Reason     Age                   From               Message
  ----     ------     ----                  ----               -------
  Normal   Scheduled  26m                   default-scheduler  Successfully assigned cert-manager/alidns-webhook-9b94b9494-bf74d to tower
  Normal   Pulled     25m (x2 over 26m)     kubelet            Container image "pragkent/alidns-webhook:0.1.0" already present on machine
  Normal   Created    25m (x2 over 26m)     kubelet            Created container alidns-webhook
  Normal   Started    25m (x2 over 26m)     kubelet            Started container alidns-webhook
  Warning  Unhealthy  25m (x6 over 26m)     kubelet            Liveness probe failed: HTTP probe failed with statuscode: 500
  Normal   Killing    25m (x2 over 25m)     kubelet            Container alidns-webhook failed liveness probe, will be restarted
  Warning  BackOff    6m27s (x72 over 23m)  kubelet            Back-off restarting failed container
  Warning  Unhealthy  79s (x75 over 26m)    kubelet            Readiness probe failed: HTTP probe failed with statuscode: 500

alidns SDK ErrorCode: InvalidAccessKeyId.NotFound

Hello,I have a question to ask you
Error:

E0323 17:49:13.715484       1 solver.go:56] Get hosted zone test.cn. error: SDK.ServerError
ErrorCode: InvalidAccessKeyId.NotFound
Recommend: https://error-center.aliyun.com/status/search?Keyword=InvalidAccessKeyId.NotFound&source=PopGw
RequestId: ****
Message: Specified access key is not found.
I0323 17:49:13.776598       1 solver.go:47] Presenting txt record: _acme-challenge.cert-manager.test.cn. test.cn.
I0323 17:49:13.776669       1 solver.go:76] Decoded config: { {{alidns-secret} access-key} {{alidns-secret} secret-key}}

But I confirm that my ak key pair is valid and can be used on acme

Cluster:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # Change to your letsencrypt email
    email: [email protected]
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-staging-account-key
    solvers:
    - dns01:
        webhook:
          groupName: acme.yourcompany.com
          solverName: alidns
          config:
            region: ""
            accessKeySecretRef:
              name: alidns-secret
              key: access-key
            secretKeySecretRef:
              name: alidns-secret
              key: secret-key

Ca:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: example-tls
spec:
  secretName: example-com-tls
  commonName: cert-manager.test.cn
  dnsNames:
  - cert-manager.test.cn
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer

Error presenting challenge: the server could not find the requested resource (post alidns.acme

自签证书是出什么问题了吗？

创建bundle.yaml后apiservice有问题

查看pod日志

E0518 02:23:06.266875 1 authentication.go:63] "Unable to authenticate the request" err="[x509: certificate has expired or is not yet valid: current time 2022-05-18T02:23:06Z is after 2022-05-14T07:07:34Z, verifying certificate SN=4031439202884110863, SKID=, AKID= failed: x509: certificate has expired or is not yet valid: current time 2022-05-18T02:23:06Z is after 2022-05-14T07:07:34Z]"
E0518 02:23:06.266887 1 authentication.go:63] "Unable to authenticate the request" err="[x509: certificate has expired or is not yet valid: current time 2022-05-18T02:23:06Z is after 2022-05-14T07:07:34Z, verifying certificate SN=4031439202884110863, SKID=, AKID= failed: x509: certificate has expired or is not yet valid: current time 2022-05-18T02:23:06Z is after 2022-05-14T07:07:34Z]"
E0518 02:23:06.266874 1 authentication.go:63] "Unable to authenticate the request" err="[x509: certificate has expired or is not yet valid: current time 2022-05-18T02:23:06Z is after 2022-05-14T07:07:34Z, verifying certificate SN=4031439202884110863, SKID=, AKID= failed: x509: certificate has expired or is not yet valid: current time 2022-05-18T02:23:06Z is after 2022-05-14T07:07:34Z]"
E0518 02:23:06.266962 1 authentication.go:63] "Unable to authenticate the request" err="[x509: certificate has expired or is not yet valid: current time 2022-05-18T02:23:06Z is after 2022-05-14T07:07:34Z, verifying certificate SN=4031439202884110863, SKID=, AKID= failed: x509: certificate has expired or is not yet valid: current time 2022-05-18T02:23:06Z is after 2022-05-14T07:07:34Z]"

这是不是webhook应用自己给自己颁发证书时出问题了呀？

InvalidAccessKeyId，but i'm sure the AccessKey is valid！

cert-manager 0.11 下用不了

我正在解决这个问题但是没有头绪，如果你有时间看一下并且解决了请知会我一下，谢谢！
一直报错：

I1112 09:25:34.943557       1 secure_serving.go:116] Serving securely on [::]:443
I1112 09:25:36.171175       1 log.go:172] http: TLS handshake error from 192.168.100.187:54500: remote error: tls: bad certificate
I1112 09:25:36.172716       1 log.go:172] http: TLS handshake error from 192.168.100.188:36050: remote error: tls: bad certificate

Failed to watch *v1beta1.FlowSchema: failed to list

请教报这个错什么怎么解决？

E0415 06:30:15.572309 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: the server could not find the requested resource
E0415 06:30:33.198798 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: the server could not find the requested resource

k8s：v1.26.4
cert-manager:1.11.1

use alidns error

First my cert-manager version is v1.3.1
The log is show blew

kubectl describe certificate public-tls --namespace=harbor                      ✔  kubernetes-admin-c52a2452dbc28495f9b909786e0de661a ⎈  root@wangjun-frdora 
Name:         public-tls
Namespace:    harbor
Labels:       <none>
Annotations:  API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2021-05-11T07:27:18Z
  Generation:          1
  Managed Fields:
    API Version:  cert-manager.io/v1alpha2
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:commonName:
        f:dnsNames:
        f:issuerRef:
          .:
          f:kind:
          f:name:
        f:secretName:
    Manager:      kubectl
    Operation:    Update
    Time:         2021-05-11T07:27:17Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        f:conditions:
        f:nextPrivateKeySecretName:
    Manager:         controller
    Operation:       Update
    Time:            2021-05-11T07:27:18Z
  Resource Version:  1153723585
  Self Link:         /apis/cert-manager.io/v1/namespaces/harbor/certificates/public-tls
  UID:               4421c82a-4796-4c6c-9578-31eddf2756d5
Spec:
  Common Name:  baidu.com
  Dns Names:
    baidu.com
    *.baidu.com
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-http01
  Secret Name:  public-server-tls
Status:
  Conditions:
    Last Transition Time:        2021-05-11T07:27:18Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      False
    Type:                        Ready
    Last Transition Time:        2021-05-11T07:27:18Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      True
    Type:                        Issuing
  Next Private Key Secret Name:  public-tls-hdk87
Events:
  Type    Reason     Age   From          Message
  ----    ------     ----  ----          -------
  Normal  Issuing    70s   cert-manager  Issuing certificate as Secret does not exist
  Normal  Generated  70s   cert-manager  Stored new private key in temporary Secret resource "public-tls-hdk87"
  Normal  Requested  70s   cert-manager  Created new CertificateRequest resource "public-tls-pfbvn"

my Certificate.yml is blew

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: public-tls
  namespace: harbor
spec:
  secretName: public-server-tls
  commonName: baidu.com
  issuerRef:
    name: letsencrypt-http01
    kind: ClusterIssuer
  dnsNames:
  - baidu.com
  - "*.baidu.com"

It appears that only single domain cert are supported

cert:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: icebergu-tls
spec:
  secretName: icebergu-com-tls
  commonName: icebergu.com
  dnsNames:
  - icebergu.com
  uris:
  - "www.icebergu.com"
  - "blog.icebergu.com"
  issuerRef:
    group: cert-manager.io
    name: letsencrypt-staging
    kind: ClusterIssuer

csr:

        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:icebergu.com, URI:www.icebergu.com, URI:blog.icebergu.com

cert:

            X509v3 Subject Alternative Name: 
                DNS:icebergu.com

unable to create alidns-secret

apiVersion: v1
kind: Secret
metadata:
  name: alidns-secret
  namespace: cert-manager
data:
  access-key: LTAI4G6adCiyQacpG1******
  secret-key: 6nK5bwzcuYzEzRb279ibmCyI******

error：

Error from server (BadRequest): error when creating "alidns-secret.yaml": Secret in version "v1" cannot be handled as a Secret: v1.Secret.ObjectMeta: v1.ObjectMeta.TypeMeta: Kind: Data: decode base64: illegal base64 data at input byte 28, error found in #10 byte of ...|CyI1D6WPn"},"kind":"|..., bigger context ...|Vtt","secret-key":"6nK5bwzcuYzEzRb279ibmCyI******"},"kind":"Secret","metadata":{"annotations":{"kube|...

for alidns-webhook error

the error is cert-manager/cert-manager#2680

Error presenting challenge: the server is currently unable to handle the request

ClusterIssuer:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # Change to your letsencrypt email
    email: [email protected]
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: spoil-twinkle-rob-therein
    solvers:
    - dns01:
        webhook:
          groupName: acme.yourcompany.com
          solverName: alidns
          config:
            region: ""
            accessKeySecretRef:
              name: alidns-secret
              key: access-key
            secretKeySecretRef:
              name: alidns-secret
              key: secret-key

kubectl describe challenges.acme.cert-manager.io

...
tatus:
  Presented:   false
  Processing:  true
  Reason:      the server is currently unable to handle the request (post alidns.acme.yourcompany.com)
  State:       pending
Events:
  Type     Reason        Age               From          Message
  ----     ------        ----              ----          -------
  Normal   Started       10s               cert-manager  Challenge scheduled for processing
  Warning  PresentError  5s (x3 over 10s)  cert-manager  Error presenting challenge: the server is currently unable to handle the request (post alidns.acme.yourcompany.com)

kubectl version
Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.5", GitCommit:"20c265fef0741dd71a66480e35bd69f18351daea", GitTreeState:"clean", BuildDate:"2019-10-15T19:16:51Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"17+", GitVersion:"v1.17.4-gke.10", GitCommit:"302b55804ee4a09c6ad5be81a380a3f333f72fcf", GitTreeState:"clean", BuildDate:"2020-04-14T17:30:11Z", GoVersion:"go1.13.8b4", Compiler:"gc", Platform:"linux/amd64"}

cert-manager is v0.14.1.

How to set the groupName?

Install FailedMount

Normal   Scheduled    103m                   default-scheduler  Successfully assigned cert-manager/alidns-webhook-5c5c7584f5-fgfg8 to 172.31.0.5
  Warning  FailedMount  12m (x7 over 66m)      kubelet            Unable to attach or mount volumes: unmounted volumes=[certs], unattached volumes=[alidns-webhook-token-shz9w certs]: timed out waiting for the condition
  Warning  FailedMount  7m20s (x55 over 103m)  kubelet            MountVolume.SetUp failed for volume "certs" : secret "alidns-webhook-webhook-tls" not found
  Warning  FailedMount  83s (x37 over 101m)    kubelet            Unable to attach or mount volumes: unmounted volumes=[certs], unattached volumes=[certs alidns-webhook-token-shz9w]: timed out waiting for the condition

不支持cert-manager 0.12 版本

这个webhook能否支持cert-manager 0.12版本呢