我已经配置了 ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-cluster-issuer
spec:
acme:
email: <myemail>
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-cluster-issuer-key
solvers:
- http01:
ingress:
class: nginx
和入口
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
kubernetes.io/ingress.class: nginx
name: web-ingress
namespace: default
spec:
rules:
- host: hostname
http:
paths:
- backend:
service:
name: web-service
port:
number: 3000
path: /
pathType: Prefix
tls:
- hosts:
- hostname
secretName: web-cert-tls
我无法让配置正常运行。这会产生一个新的入口,如下
Name: cm-acme-http-solver-9nbh6
Labels: acme.cert-manager.io/http-domain=1234
acme.cert-manager.io/http-token=1234
acme.cert-manager.io/http01-solver=true
Namespace: default
Address: <IPAddress>
Ingress Class: <none>
Default backend: <default>
Rules:
Host Path Backends
---- ---- --------
hostname
/.well-known/acme-challenge/challengexyzxyzxyz-o cm-acme-http-solver-9dc8z:8089 (10.2.0.85:8089)
Annotations: kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0,::/0
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 10m (x2 over 10m) nginx-ingress-controller Scheduled for sync
这是我应用的Ingress的描述
Name: web-ingress
Labels: app.kubernetes.io/instance=web-app
Namespace: default
Address: <IPAddress>
Ingress Class: <none>
Default backend: <default>
TLS:
web-cert-tls terminates hostname
Rules:
Host Path Backends
---- ---- --------
hostname
/ web-service:3000 (10.2.0.68:3000)
Annotations: acme.cert-manager.io/http01-edit-in-place: true
cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CreateCertificate 31m cert-manager-ingress-shim Successfully created Certificate "web-cert-tls"
Normal Sync 6m27s (x6 over 31m) nginx-ingress-controller Scheduled for sync
当我检查证书管理器日志时,我发现此错误
E0905 10:09:04.617600 1 sync.go:190] cert-manager/challenges "msg"="propagation check failed" "error"="did not get expected response when querying endpoint, expected \"challengexyzxyz.morestuffherexyzxyz\" but got: <html xml:lang=\"fr-FR\" l... (truncated)" "dnsName"="hostname.ovh" "resource_kind"="Challenge" "resource_name"="web-cert-tls-xtp2r-768063107-2100049723" "resource_namespace"="default" "resource_version"="v1" "type"="HTTP-01"
当我从浏览器访问
hostname/.well-known/acme-challenge/challengexyzxyzxyz-o
时
我得到了预期的值。
当我从 pod 访问它时,我收到一个 html,上面写着域名购买页面。
我也尝试过在没有 Ingress 的情况下只应用证书
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: web-cert
namespace: default
spec:
dnsNames:
- hostname.ovh
secretName: web-cert-tls
issuerRef:
name: letsencrypt-cluster-issuer
kind: ClusterIssuer
我也尝试过在 Ingress 对象注释中添加
acme.cert-manager.io/http01-edit-in-place: "true"
,但也没有解决问题。 (它没有产生新的入口,仅此而已)
所以我陷入了这个挑战阶段
Type: HTTP-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/12134567898/Fmasf
Wildcard: false
Status:
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: did not get expected response when querying endpoint, expected "challengexyzxyzxyz-o.challengexyzxyzxyz-o" but got: <html xml:lang="fr-FR" l... (truncated)
State: pending
dnsPolicy: "None"
dnsConfig:
nameservers:
- 8.8.8.8
- 8.8.4.4
为证书管理器设置此配置已成功。
它是
dnsPolicy: ClusterFirst
并且它以某种方式指向 DNS 提供商的网站,表示祝贺购买。
事实证明,这也可能是 k8s 提供商本地 dns 的传播延迟。就我而言,延迟超过 24 小时。名称服务器更新后,我可以恢复此更改,并且仍然可以正常工作。
我通过确保规范中的
tls
存在入口来修复此问题
spec:
tls:
- hosts:
- deck.spinnaker.abc.com
secretName: spin-deck-tls
对我来说,发生这种情况是因为我在一个 homelab 集群上运行 Certmanager,该集群位于我的域名所指向的 Opnsense 路由器后面。默认情况下,Opnsense 未配置为启用发夹 NAT。因此,从我的网络内到我的域名的任何请求都会重定向到我的路由器的登录页面。因此,来自证书管理器的令人困惑的错误消息涉及以
<!doctype html>
开头的意外响应。
检查这三个框即可修复它。我花了几个小时才弄清楚:sweat_smile: