我想在 Ubuntu 20.04 上的 microk8s kubernetes 设置上设置 TLS。 这在过去是有效的,但在切换到 microk8s 1.28 和 cert-manager 1.13 后,我陷入了困境。
我总是得到
Waiting for HTTP-01 challenge propagation: failed to perform self check GET request
。
此外,挑战描述中还写着dial tcp xx.xx.xx.xx:80: connect: connection refused
。
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: ...
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
name: whoami
对于入口类型,我尝试了 docs 中提到的名称、类以及 ingressClassName。问题总是一样的。
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
namespace: default
labels:
app: whoami
spec:
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: containous/whoami
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: whoami
namespace: default
spec:
selector:
app: whoami
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: whoami
namespace: default
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
rules:
- host: my.domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: whoami
port:
number: 80
tls:
- hosts:
- my.domain.com
secretName: letsencrypt-prod
ACME-solver pod 已创建,但我注意到监听端口出于某种原因为 8089。 该服务也侦听此端口:
cm-acme-http-solver-h648p NodePort 10.152.183.48 <none> 8089:30571/TCP 15m
这不应该是 80 吗,因为我的服务器没有公开端口 8089?
我直接从 github 通过他们的 manifest 安装了 cert-manager v1.13.2。使用
microk8s enable cert-manager
返回稳定版本解决了该问题。