cert-manager: Switch to acme-dns

Using the local name server as the authoritative server for ACME
challenge records turned out to be quite problematic.  For some reason,
both Google and Cloudflare kept returning SERVFAIL responses for the
*_acme-challenge* TXT queries.  I suspect this may have had something to
do with how BIND was configured to be the authoritative server for the
*o-ak4p9kqlmt5uuc.com* while also being a recusive resolver for clients
on the local network.

Using *acme-dns.io* resolves these issues, but it does bring a few of
its own.  Notably, each unique domain and subdomain must have its own
set of credentials (specified in the `acme-dns.json`) file.  This makes
adding new certificates rather cumbersome.

cert-manager/.gitignore

@@ -1,3 +1,4 @@
+acme-dns.json
 cert-exporter.pem
 cert-manager.key
 zerossl.secret

cert-manager/cluster-issuer.yaml

@@ -17,10 +17,8 @@ spec:
     solvers:
     - dns01:
         cnameStrategy: Follow
-        rfc2136:
+        acmeDNS:
-          nameserver: 172.30.0.1
+          host: https://auth.acme-dns.io/
-          tsigKeyName: cert-manager
+          accountSecretRef:
-          tsigAlgorithm: HMACSHA512
+            name: acme-dns
-          tsigSecretSecretRef:
+            key: acme-dns.json
-            name: cert-manager-tsig
-            key: cert-manager.key

cert-manager/kustomization.yaml

@@ -28,3 +28,10 @@ secretGenerator:
   - cert-exporter.pem
   options:
     disableNameSuffixHash: true
+
+- name: acme-dns
+  namespace: cert-manager
+  files:
+  - acme-dns.json
+  options:
+    disableNameSuffixHash: true