My certificates were renewing, the logs said CertificateIssued , but my pods were still screaming about TLS handshake failures. It's the classic "everything looks green in the dashboard but the app is broken" scenario. I had a fully automated pipeline using cert-manager and Cloudflare DNS-01, yet my internal services were intermittently failing to validate the very certificates they were using. If you've already set up the basic ClusterIssuer and think you're done, you've likely only hit the happy path. The real friction starts when you move from a single static IP to a dynamic environment or when you realize Kubernetes is lying to you about how it resolves DNS. The DNS-01 Foundation For those who haven't wrestled with this, DNS-01 is the only sane way to handle TLS in a homelab or private cloud. Unlike HTTP-01, which requires opening port 80 to the world and routing traffic to a specific challenge pod, DNS-01 proves ownership by dropping a TXT record into your DNS provider.…