A simple webhook DNS solver for cert-manager using the CPanel UAPI for those of us stuck using their webhost's CPanel for DNS.
This is based off the example webhook.
- Install
cert-manager
. This was developed when running v1.8 but it should work reasonably across versions. This is assumed to be in thecert-manager
namespace, if not you'll need to tweak the Helm values. - Install this webhook. There's a Helm chart in
deploy/chart
(helm install cpanel-webhook .
), orkubectl apply -f https://raw.githubusercontent.com/jamesorlakin/cert-manager-cpanel-dns-webhook/master/deploy/v0.3.0.yaml
will install this in thecert-manager
namespace. - Create a secret containing your CPanel credentials.
apiVersion: v1 kind: Secret type: Opaque metadata: name: some-cpanel-credentials namespace: cert-manager stringData: username: my-cpanel-user password: my-cpanel-password # Or, instead of a password in v0.2.0+, create and use an API token from CPanel's Security section: apiToken: ABCDEF1234567890ABCDEFABCDEF1234567890
- Create an ACME issuer referencing the webhook, e.g.:
apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-staging spec: acme: server: https://acme-staging-v02.api.letsencrypt.org/directory email: [email protected] privateKeySecretRef: name: letsencrypt-staging solvers: - dns01: # The fun bit: webhook: groupName: jameslakin.co.uk # Must match the group name in the Helm chart (this is the default and shouldn't need changing to your own domain) solverName: cpanel-solver # Don't change config: cpanelUrl: https://cpanel.my-super-website.com # No trailing slash secretRef: cert-manager/some-cpanel-credentials # In the form namespace/secret-name
- ...issue certificates:
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-cpanel-cert spec: secretName: example-cpanel-cert issuerRef: name: letsencrypt-staging kind: ClusterIssuer dnsNames: - '*.whatever.my-super-website.com'