我在 Kubernetes 集群中使用 cert-manager 来处理来自 Let's Encrypt 的证书。我已经设置了
ClusterIssuerCertificateIngress集群发行者配置:
Name: letsencrypt-prod
Spec:
Acme:
Email: [email protected]
Private Key Secret Ref:
Name: letsencrypt-prod
Server: https://acme-v02.api.letsencrypt.org/directory
Solvers:
http01:
Ingress:
Class: nginx
证书配置:
Name: frontend-tls
Namespace: default
Spec:
Dns Names:
xxx.in
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt-prod
Secret Name: frontend-tls
入口配置:
Name: frontend-ingress
Namespace: default
Address: xxx.xxx.xxx.xxx
Ingress Class: nginx
Annotations: cert-manager.io/cluster-issuer: letsencrypt-prod
错误详情:
Name: frontend-tls-nlgtl-2344426666-3388921781
Status:
Presented: false
Reason: Error accepting authorization: acme: authorization error for xxx.in: 403 urn:ietf:params:acme:error:unauthorized: 3.33.152.147: Invalid response from http://xxx.in/.well-known/acme-challenge/WB9s5TUw3y95tMZPdKVEjMR9mbeh5PhuObAH5Z2FPug: 404
State: invalid
DNS配置: 我确认我的域名指向正确的 IP:
Name: xxx.in
Addresses: 15.197.345.173
3.33.234.147
附加信息: 我注意到证书的 Secret 没有被创建:
kubectl get secret frontend-tls -n default
Error from server (NotFound): secrets "frontend-tls" not found
我已确保以下事项:
我不确定我缺少什么或者我的设置是否有问题。谁能帮我弄清楚为什么 cert-manager 无法颁发证书?我在这里做错了什么,或者我可以做什么来进一步解决这个问题?
我对此还很陌生,但我成功地在 kubernetes 集群上使用 Let's Encrypt 部署了证书,并且可以与您共享我的文件。我使用 Gandi 作为我的 dns,但您可以使用您的 dns 提供商(如果它不是 gandi)。
我的证书配置:
# Cert-manager
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: xxx.space
spec:
dnsNames:
- xxx.space
issuerRef:
name: letsencrypt
kind: Issuer
secretName: secret-tls-one
我的发行人配置:
# Issuer
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# https://acme-v02.api.letsencrypt.org/directory ORIGINAL
# https://acme-staging-v02.api.letsencrypt.org/directory TESTS
email: [email protected]
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt
solvers:
- dns01:
webhook:
groupName: acme.bwolf.me
solverName: gandi
config:
apiKeySecretRef:
key: api-token
name: gandi-credentials1
namespace: glpi-one
我的入口配置没有 TLS :
# Ingress creation
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: glpi-v1
namespace: glpi-one
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: glpi
rules:
- host: xxx.space
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: glpi-service
port:
number: 80
我的 TLS 入口配置:
# Ingress creation
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: glpi-v1
namespace: glpi-one
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
cert-manager.io/issuer: letsencrypt
cert-manager.io/issuer-kind: Issuer
cert-manager.io/issuer-group: cert-manager.io
spec:
ingressClassName: glpi
rules:
- host: xxx.space
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: glpi-service
port:
number: 80
tls: # placing a host in the TLS config will determine what ends up in the cert's subjectAlt
- hosts:
- xxx.space
secretName: secret-tls-one # cert-manager will store the created certificate in this secret.
我使用了我创建的 .sh 脚本来正确执行所需的所有步骤,因为有时我可能会迷路。
# Install cert-manager with custom DNS settings
echo "Installing cert-manager..."
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true --version v1.10.1 --set 'extraArgs={--dns01-recursive-nameservers=8.8.8.8:53\,1.1.1.1:53}'
echo "Cert-manager installed."
# Install cert-manager-webhook-gandi Helm chart
echo "Installing cert-manager-webhook-gandi Helm chart..."
helm install cert-manager-webhook-gandi --repo https://bwolf.github.io/cert-manager-webhook-gandi --version v0.2.0 --namespace cert-manager --set features.apiPriorityAndFairness=true --set logLevel=6 --generate-name
echo "cert-manager-webhook-gandi Helm chart installed."
# Apply applicative layers
echo "Applying applicative configuration files..."
kubectl apply -f glpi1.yaml -n glpi-one
echo "Applicative configuration files applied"
# Apply Ingress layer
echo "Applying Ingress configuration files..."
kubectl apply -f ingress1_glpiv1.yaml -n glpi-one
echo "Ingress configuration files applied."
# Apply Issuer layer
echo "Applying Let's Encrypt Issuer configuration files..."
kubectl apply -f issuer-glpiv1.yaml -n glpi-one
echo "Let's Encrypt Issuer configuration files applied."
# Create Gandi API token secret
echo "Creating Gandi API token secret..."
kubectl create secret generic gandi-credentials --from-literal=api-token=$apitoken
kubectl create secret generic gandi-credentials1 --from-literal=api-token=$apitoken -n glpi-one
echo "Gandi API token secret created."
# Create role and rolebinding for accessing secrets
echo "Creating role and rolebinding for accessing secrets..."
hookID=$(kubectl get pods -n cert-manager | grep "cert-manager-webhook-gandi-" | cut -d"-" -f5)
kubectl create role access-secrets --verb=get,list,watch,update,create --resource=secrets -n glpi-one
kubectl create rolebinding --role=access-secrets default-to-secrets --serviceaccount=cert-manager:cert-manager-webhook-gandi-$hookID -n glpi-one
echo "Role and rolebinding created."
# Apply Certificate layer
echo "Applying Certificate configuration files..."
kubectl apply -f certif1_glpiv1.yaml -n glpi-one
echo "Certificate configuration files applied."
# Apply Ingress layer
echo "Applying Ingress configuration files..."
kubectl apply -f ingress2_glpiv1.yaml -n glpi-one
echo "Ingress configuration files applied."
我不知道这是否对你有帮助,但这对我有用。我使用了 bwolf 的 GitHub 存储库:cert-manager-webhook-gandi,以便 Gandi 和 ACME 可以进行通信。
当我在部署证书时遇到问题时,以下命令对我帮助很大:
kubectl get certificates -n [namespaceName]
kubectl describe certificates -n [namespaceName]
kubectl get orders -n [namespaceName]
kubectl describe orders -n [namespaceName]
我使用了命名空间 cert-manager,因为安装 cert-manager 需要它,并确保包含 Gandi API 密钥的机密也位于命名空间 cert-manager 中。
我希望您能找到解决问题的方法:)