This message was deleted.

Things I tried: * external TLS option disables TLS termination in pod, but I want TLS termination with my own certificate * letsencrypt option only creates an HTTP01 solver and assumes public ingress, no DNS01 solver which I'd need to obtain a 3rd party server cert without public ingress * specifying existing TLS secret creates an unwanted Ingress resource with custom cert, not terminated in the pod

I just brought this up with a collegue we are looking at this. but with kubecon we are all bit pressed with time at the moment.

Maybe we can talk about it a little bit when we're there. ☺️

That would be a great place to bring this up we are going to have an all star cast at the booth.

@wide-receptionist-90874 Not rushed, but I will give them a try if you have any ideas for configuring the Rancher chart with a custom TLS secret.

Is your certificate signed by cert-manager trusted? or are you using a private CA?

I want to use a verifiable third party server certificate that I obtain via ACMEv2 with Cert Manager's DNS01 challenge solver. That avoids the need to expose my service to the web to obtain a certificate, since that would be the only reason to expose it at all.

yes, the dynamic listener is a component (it's a tls server) that listens for requests and dynamically updates/signs certificates that contain the requested hostname/IP in the cert SAN list

Is that the same component that implements ACMEv2's HTTP01 challenge solver and can obtain a server certificate from LetsEncrypt for Rancher Manager?