cert-manager 在查询端点时没有得到预期的响应,预期 <token> 但得到:<html xml:lang=\"fr-FR\" l... (truncated)"

问题描述 投票:0回答:3

我已经配置了 ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-cluster-issuer
spec:
  acme:
    email: <myemail>
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-cluster-issuer-key
    solvers:
      - http01:
          ingress:
            class: nginx

和入口

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
    kubernetes.io/ingress.class: nginx
  name: web-ingress
  namespace: default
spec:
  rules:
    - host: hostname
      http:
        paths:
          - backend:
              service:
                name: web-service
                port:
                  number: 3000
            path: /
            pathType: Prefix
  tls:
    - hosts:
        - hostname
      secretName: web-cert-tls

我无法让配置正常运行。这会产生一个新的入口,如下

Name:             cm-acme-http-solver-9nbh6
Labels:           acme.cert-manager.io/http-domain=1234
                  acme.cert-manager.io/http-token=1234
                  acme.cert-manager.io/http01-solver=true
Namespace:        default
Address:          <IPAddress>
Ingress Class:    <none>
Default backend:  <default>
Rules:
  Host          Path  Backends
  ----          ----  --------
  hostname  
                /.well-known/acme-challenge/challengexyzxyzxyz-o   cm-acme-http-solver-9dc8z:8089 (10.2.0.85:8089)
Annotations:    kubernetes.io/ingress.class: nginx
                nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0,::/0
Events:
  Type    Reason  Age                From                      Message
  ----    ------  ----               ----                      -------
  Normal  Sync    10m (x2 over 10m)  nginx-ingress-controller  Scheduled for sync

这是我应用的Ingress的描述

Name:             web-ingress
Labels:           app.kubernetes.io/instance=web-app
Namespace:        default
Address:          <IPAddress>
Ingress Class:    <none>
Default backend:  <default>
TLS:
  web-cert-tls terminates hostname
Rules:
  Host          Path  Backends
  ----          ----  --------
  hostname  
                /   web-service:3000 (10.2.0.68:3000)
Annotations:    acme.cert-manager.io/http01-edit-in-place: true
                cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
                kubernetes.io/ingress.class: nginx
Events:
  Type    Reason             Age                  From                       Message
  ----    ------             ----                 ----                       -------
  Normal  CreateCertificate  31m                  cert-manager-ingress-shim  Successfully created Certificate "web-cert-tls"
  Normal  Sync               6m27s (x6 over 31m)  nginx-ingress-controller   Scheduled for sync

当我检查证书管理器日志时,我发现此错误

E0905 10:09:04.617600       1 sync.go:190] cert-manager/challenges "msg"="propagation check failed" "error"="did not get expected response when querying endpoint, expected \"challengexyzxyz.morestuffherexyzxyz\" but got: <html xml:lang=\"fr-FR\" l... (truncated)" "dnsName"="hostname.ovh" "resource_kind"="Challenge" "resource_name"="web-cert-tls-xtp2r-768063107-2100049723" "resource_namespace"="default" "resource_version"="v1" "type"="HTTP-01"

当我从浏览器访问

hostname/.well-known/acme-challenge/challengexyzxyzxyz-o
时 我得到了预期的值。

当我从 pod 访问它时,我收到一个 html,上面写着域名购买页面。

我也尝试过在没有 Ingress 的情况下只应用证书

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: web-cert
  namespace: default
spec:
  dnsNames:
    - hostname.ovh
  secretName: web-cert-tls
  issuerRef:
    name: letsencrypt-cluster-issuer
    kind: ClusterIssuer

我也尝试过在 Ingress 对象注释中添加 

acme.cert-manager.io/http01-edit-in-place: "true"
,但也没有解决问题。 (它没有产生新的入口,仅此而已)

所以我陷入了这个挑战阶段

Type:         HTTP-01
  URL:          https://acme-v02.api.letsencrypt.org/acme/chall-v3/12134567898/Fmasf
  Wildcard:     false
Status:
  Presented:   true
  Processing:  true
  Reason:      Waiting for HTTP-01 challenge propagation: did not get expected response when querying endpoint, expected "challengexyzxyzxyz-o.challengexyzxyzxyz-o" but got: <html xml:lang="fr-FR" l... (truncated)
  State:       pending
kubernetes ssl kubernetes-ingress nginx-ingress cert-manager
3个回答
3
投票
      dnsPolicy: "None"
      dnsConfig:
        nameservers:
          - 8.8.8.8
          - 8.8.4.4

为证书管理器设置此配置已成功。

它是 

dnsPolicy: ClusterFirst
并且它以某种方式指向 DNS 提供商的网站,表示祝贺购买。

事实证明,这也可能是 k8s 提供商本地 dns 的传播延迟。就我而言,延迟超过 24 小时。名称服务器更新后,我可以恢复此更改,并且仍然可以正常工作。

0
投票

我通过确保规范中的 

tls
存在入口来修复此问题

 spec:
  tls:
  - hosts:
    - deck.spinnaker.abc.com
    secretName: spin-deck-tls
0
投票

对我来说,发生这种情况是因为我在一个 homelab 集群上运行 Certmanager,该集群位于我的域名所指向的 Opnsense 路由器后面。默认情况下,Opnsense 未配置为启用发夹 NAT。因此,从我的网络内到我的域名的任何请求都会重定向到我的路由器的登录页面。因此,来自证书管理器的令人困惑的错误消息涉及以 

<!doctype html>
开头的意外响应。

检查这三个框即可修复它。我花了几个小时才弄清楚:sweat_smile:

Screenshot 2023-10-22 at 2 40 39 PM

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.