在研究 cert-manager 使用 webhook 方式调用 dnspod 使用 DNS-01 方式签发 SSL 证书遇到问题，一直得到错误：

I0306 03:48:38.870605       1 controller.go:144] "syncing item" logger="cert-manager.controller"
I0306 03:48:38.870714       1 dns.go:118] "checking DNS propagation" logger="cert-manager.controller.Check" resource_name="test1-tsh1-frytea-com-1-3300738485-2689263791" resource_namespace="default" resource_kind="Challenge" resource_version="
v1" dnsName="test1.tsh1.frytea.com" type="DNS-01" resource_name="test1-tsh1-frytea-com-1-3300738485-2689263791" resource_namespace="default" resource_kind="Challenge" resource_version="v1" domain="test1.tsh1.frytea.com" nameservers=["223.5.5.5:53","8.8.8.8:53"]
I0306 03:48:38.879628       1 wait.go:94] "Updating FQDN" logger="cert-manager.controller" resource_name="test1-tsh1-frytea-com-1-3300738485-2689263791" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dnsName="test
1.tsh1.frytea.com" type="DNS-01" fqdn="_acme-challenge.test1.tsh1.frytea.com." cname="tsh1.frytea.com."
I0306 03:48:38.897174       1 wait.go:145] "Looking up TXT records" logger="cert-manager.controller" resource_name="test1-tsh1-frytea-com-1-3300738485-2689263791" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dns
Name="test1.tsh1.frytea.com" type="DNS-01" fqdn="tsh1.frytea.com."
E0306 03:48:38.897227       1 sync.go:208] "propagation check failed" err="DNS record for \"test1.tsh1.frytea.com\" not yet propagated" logger="cert-manager.controller" resource_name="test1-tsh1-frytea-com-1-3300738485-2689263791" resource_nam
espace="default" resource_kind="Challenge" resource_version="v1" dnsName="test1.tsh1.frytea.com" type="DNS-01"I0306 03:48:38.897688       1 controller.go:164] "finished processing work item" logger="cert-manager.controller"

我使用了以下资源：

• https://github.com/cert-manager/cert-manager
• https://github.com/cert-manager/webhook-example
• https://github.com/imroc/cert-manager-webhook-dnspod

在相关仓库找到这些 issue

• 能否支持 cnameStrategy=None的配置 #9
• Why cert-manager looks for a CNAME record instead of a TXT record? #74

发现，只要申请证书的域名能够匹配到 CNAME 记录，就会默认跟随，找不到正确的 TXT 记录，导致认证失败。
虽然 cert-manager 提供了这个参数 cnameStrategy: None ，能够在声明 ISSUE 时使用，但是似乎大部分实现的 webhook 都没有实现这个特性：

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: dnspod
spec:
  acme:
    email: xxxx # 在证书过期的时候，会发邮件通知
    preferredChain: ""
    privateKeySecretRef:
      name: example-com-letsencrypt-dev-key # 用于存储ACME帐户私钥的密钥名称
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    #server: https://acme-v02.api.letsencrypt.org/directory # 生产
    solvers:
      - dns01:
          cnameStrategy: None
          webhook:
            config:
              secretId: xxxxxx
              secretKeyRef:
                key: secret-key
                name: dnspod-secret
              ttl: 600
            groupName: acme.imroc.cc
            solverName: dnspod

目前临时的解决办法，只能是 避免 cert-manager 托管域名能够解析到 CNAME 记录，等有空了研究一下 cert-manager 和 webhook 的实现方法，看能否解决这个问题。

References

• cert-manager - NipGeihou's blog
• DNS01 - cert-manager
• DNS Providers - cert-manager
• Webhook - cert-manager
• ACME - cert-manager