Skip to content

Warn users when DNS ACME challenges are required for wildcard certificates #1327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
ljluestc wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Warn users when DNS ACME challenges are required for wildcard certificates #1327

ljluestc wants to merge 1 commit into from

Conversation

@ljluestc
Copy link

@ljluestc ljluestc commented Nov 24, 2025

Currently, when users attempt to obtain wildcard certificates using HAProxy Ingress ACME support, the process fails with a cryptic error message: "Order's status ("pending") is not acceptable for finalization". This occurs because HAProxy Ingress only supports HTTP-01 challenges, but wildcard certificates require DNS-01 challenges. Users are left confused about why their certificates aren't being issued and how to resolve the issue.

Solution

Implement proactive detection and user-friendly warnings when DNS-01 challenges are required for wildcard domains. Instead of failing silently with unclear errors, provide clear guidance on what needs to be done.

Changes Made

1. Wildcard Domain Detection

  • Added hasWildcardDomain() utility function to identify wildcard certificates
  • Handles edge cases like *.example.com, mixed domain lists, and invalid patterns

2. Challenge Analysis & Warnings

  • Modified authorize() method to analyze available ACME challenges
  • Detects when DNS-01 challenges are required for wildcard domains
  • Provides specific error messages based on challenge availability:
    • Wildcard domains: Clear DNS-01 requirement explanation with TXT record setup instructions
    • HTTP-01 unavailable: Guidance for ensuring domain accessibility
    • No supported challenges: Fallback error for unsupported challenge types

3. Error Messages

// Wildcard domain requiring DNS-01
"acme: DNS-01 challenge required for wildcard domain *.example.com, but haproxy-ingress only supports HTTP-01 challenges. Please configure your DNS provider to add a TXT record '_acme-challenge.*.example.com' with the value provided by your ACME client, or use a non-wildcard domain"

// HTTP-01 not available  
"acme: HTTP-01 challenge not available for domain example.com, only DNS-01 challenge is supported by the ACME server. haproxy-ingress only supports HTTP-01 challenges. Please ensure your domain is accessible via HTTP for ACME challenges"

// No supported challenges
"acme: no supported challenge type available for domain example.com. haproxy-ingress supports HTTP-01 challenges only"

4. Testing Infrastructure

  • Created comprehensive test suite with 15+ test cases
  • Added ACMEClient interface for proper mocking
  • Tests cover wildcard detection, challenge analysis, error messaging, and integration scenarios
  • Validates exact error message content for user guidance accuracy

Files Changed

  • pkg/acme/client.go - Core implementation with challenge detection and warnings
  • pkg/acme/client_test.go - Comprehensive test suite for all functionality
  • pkg/acme/signer_test.go - Integration tests for signer-level error handling

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ljluestc