我在Azure中安装了cert-manager v0.14.0版本的Kubernetes群集版本为1.15.5
它与自动签发可以很好地工作,可以使用有效的DNS名称对证书进行加密:MY_DOMAIN指向入口控制器的外部IP地址。
我还希望能够使用例如certbot。我尝试使用以下方法在群集上运行certbot:
kubectl run --generator=run-pod/v1 certbot-shell --rm -i --tty --image certbot/certbot:amd64-latest -- -d MY_DOMAIN --manual --preferred-challenges http certonly
但是失败了:
Create a file containing just this data:
QAPu****-klNq1RBgY
And make it available on your web server at this URL:
http://MY_DOMAIN/.well-known/acme-challenge/QAPu****-klNq1RBgY
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Challenge failed for domain MY_DOMAIN
http-01 challenge for MY_DOMAIN
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: MY_DOMAIN
Type: unauthorized
Detail: Invalid response from
http://MY_DOMAIN/.well-known/acme-challenge/QAPuDTHa****1qlLLOg
[13.x.x.x]: 404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
所以以某种方式cert-manager会自动处理在挑战期间创建文件并在以下位置提供文件:
http://MY_DOMAIN/.well-known/acme-challenge/QAPu****-klNq1RBgY
但是我不确定使用certbot时如何做到这一点,或者是否有其他方法可以做到这一点?
基于以下建议,我尝试安装Kube lego(0.1.2)代替(对于旧版1.8群集),但似乎失败:
level=error msg="Error while processing certificate requests: 403 urn:acme:error:unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details." context=kubelego
所以我试图升级到:
https://acme-staging-v02.api.letsencrypt.org/directory
但后来我得到:
level=error msg="Error while processing certificate requests: Head : unsupported protocol scheme \"\"" context=kubelego
我发现:
https://github.com/jetstack/kube-lego/issues/301
所以看起来kube-lego不能与ACME版本2一起使用:-(
注释的简短版本:DNS模式下的certbot可能会起作用,而HTTP01则不会,因为您需要动态调整Ingress设置,这正是cert-manager所做的。总的来说,这是一个很好的例子,说明为什么运行2.5年前的Kube版本效果不好。