我按照本教程让我们在 kubernetes 中加密:https://github.com/ahmetb/gke-letsencrypt/blob/master/
我遇到了一些问题,cert-manager 没有创建所需的 secret 。
你能帮我解决这个问题吗?
证书管理器错误:
Found status change for Certificate "mydomain.fr" condition "Ready": "False" -> "False"; setting lastTransitionTime to 2018-11-06 17:37:20.683089649 +0000 UTC m=+5887.364224968
Error preparing issuer for certificate coffeer-ci/mydomain.fr: http-01 self check failed for domain "mydomain.fr"
[coffeer-ci/mydomain.fr] Error getting certificate 'domain-tls': secret "domain-tls" not found
这是我的 kubernetes 对象:
kubectl -n kube-system describe pod cert-managerName: cert-manager-7bb46cc6b-scqrp
Namespace: kube-system
Node: gke-inkubator-default-pool-68c0309d-b86b/10.132.0.3
Start Time: Tue, 06 Nov 2018 16:59:10 +0100
Labels: app=cert-manager
pod-template-hash=366027726
release=cert-manager
Annotations: <none>
Status: Running
IP: 10.16.1.132
Controlled By: ReplicaSet/cert-manager-7bb46cc6b
Containers:
cert-manager:
Container ID: docker://d4795cfa85aacd2cbd0c5fd51246c436e3cf953632f4ca4a26e683c5867bf113
Image: quay.io/jetstack/cert-manager-controller:v0.5.0
Image ID: docker-pullable://quay.io/jetstack/cert-manager-controller@sha256:fd89c3c33fd89ffe0a9f91df2f54423397058d4180eccfe90b831859ba46b6e5
Port: <none>
Host Port: <none>
Args:
--cluster-resource-namespace=$(POD_NAMESPACE)
--leader-election-namespace=$(POD_NAMESPACE)
State: Running
Started: Tue, 06 Nov 2018 16:59:13 +0100
Ready: True
Restart Count: 0
Environment:
POD_NAMESPACE: kube-system (v1:metadata.namespace)
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from cert-manager-token-9ck7b (ro)
Conditions:
Type Status
Initialized True
Ready True
PodScheduled True
Volumes:
cert-manager-token-9ck7b:
Type: Secret (a volume populated by a Secret)
SecretName: cert-manager-token-9ck7b
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events: <none>
kubectl describe clusterissuerName: letsencrypt-staging
Namespace:
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: ClusterIssuer
Metadata:
Cluster Name:
Creation Timestamp: 2018-11-06T16:00:23Z
Generation: 1
Resource Version: 10184529
Self Link: /apis/certmanager.k8s.io/v1alpha1/clusterissuers/letsencrypt-staging
UID: 11e44fe0-e1dd-11e8-8bc6-42010a840078
Spec:
Acme:
Email: dev@mydomain.com
Http 01:
Private Key Secret Ref:
Key:
Name: letsencrypt-staging
Server: https://acme-staging-v02.api.letsencrypt.org/directory
Status:
Acme:
Uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/7297218
Conditions:
Last Transition Time: 2018-11-06T16:00:33Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
kubectl -n coffeer-ci describe certificateName: mydomain.fr
Namespace: coffeer-ci
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Cluster Name:
Creation Timestamp: 2018-11-06T16:10:57Z
Generation: 1
Resource Version: 10197662
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/coffeer-ci/certificates/mydomain.fr
UID: 8b6d508a-e1de-11e8-8bc6-42010a840078
Spec:
Acme:
Config:
Domains:
mydomain.fr
Http 01:
Ingress: coffee-ingress
Common Name: mydomain.fr
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-staging
Secret Name: domain-tls
Status:
Acme:
Order:
Challenges:
Authz URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/wm5MvoFA12U37qdXdBCccyIWezpEsLoxHUGVDacmHpI
Domain: mydomain.fr
Http 01:
Ingress: coffee-ingress
Key: RjHMkquS8Hh4dvJWZp2jLGW-MrSKEba-y8B8PzmVQ-M.4LwovuRj4ZgjrwLuye1cd5ftBRYaGIvtK__igMmDUD8
Token: RjHMkquS8Hh4dvJWZp2jLGW-MrSKEba-y8B8PzmVQ-M
Type: http-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/wm5MvoFA12U37qdXdBCccyIWezpEsLoxHUGVDacmHpI/192521366
Wildcard: false
URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/7297218/12596140
Conditions:
Last Transition Time: 2018-11-06T17:47:28Z
Message: http-01 self check failed for domain "mydomain.bap.fr"
Reason: ValidateError
Status: False
Type: Ready
Events: <none>
kubectl -n coffeer-ci describe ingressName: coffee-ingress
Namespace: coffeer-ci
Address: 35.233.8.223
Default backend: default-http-backend:80 (10.16.1.5:8080)
Rules:
Host Path Backends
---- ---- --------
mydomain.fr
/ coffee-service:80 (<none>)
/.well-known/acme-challenge/RjHMkquS8Hh4dvJWZp2jLGW-MrSKEba-y8B8PzmVQ-M cm-acme-http-solver-kw2w4:8089 (<none>)
Annotations:
ingress.kubernetes.io/forwarding-rule: k8s-fw-coffeer-ci-coffee-ingress--4b1e5690f5d3853f
ingress.kubernetes.io/target-proxy: k8s-tp-coffeer-ci-coffee-ingress--4b1e5690f5d3853f
ingress.kubernetes.io/url-map: k8s-um-coffeer-ci-coffee-ingress--4b1e5690f5d3853f
kubernetes.io/ingress.global-static-ip-name: coffeer-ci-static
kubernetes.io/tls-acme: true
ingress.kubernetes.io/backends: {"k8s-be-32603--4b1e5690f5d3853f":"HEALTHY"}
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 40m nginx-ingress-controller Ingress coffeer-ci/coffee-ingress
Normal CreateCertificate 34m cert-manager Successfully created Certificate "domain-tls"
Warning Sync 25m (x23 over 59m) loadbalancer-controller Could not find TLS certificates. Continuing setup for the load balancer to serve HTTP. Note: this behavior is deprecated and will be removed in a future version of ingress-gce
Normal UPDATE 15m (x8 over 39m) nginx-ingress-controller Ingress coffeer-ci/coffee-ingress
Warning Sync 3m (x49 over 1h) loadbalancer-controller Error during sync: googleapi: Error 403: Quota 'BACKEND_SERVICES' exceeded. Limit: 9.0 globally., quotaExceeded
我也有错误 错误 403:超出配额“BACKEND_SERVICES”。限制:全局 9.0。配额超出 在入口。
谢谢
最佳答案
Error preparing issuer for certificate coffeer-ci/mydomain.fr: http-01 self check failed for domain "mydomain.fr"
意味着它无法对您实际拥有域进行 HTTP 检查。您是否拥有
mydomain.fr ?如果是,则需要添加一个DNS条目来使mydomain.fr解析到负载均衡器的外部 IP(A 记录)(或者如果负载均衡器有一个名称条目,它必须是一个 CNAME 记录,在 AWS ELB 的情况下)这种方式 letencrypt 可以使用它来验证您拥有域。另一个错误:
Warning Sync 3m (x49 over 1h) loadbalancer-controller Error during sync: googleapi: Error 403: Quota 'BACKEND_SERVICES' exceeded. Limit: 9.0 globally., quotaExceeded
看起来像是无法验证域的副产品。如果您没有指定并且 Ingress 看起来像 cert-manager 会为您创建一个 'LoadBalancer'服务类型。看起来它最初创建了它,但它一直尝试同步以在 GCP 上创建它(可能是因为检查它是否可以配置端口 443)但过了一段时间,GCP API 正在限制您。
关于Kubernetes让我们加密证书管理器错误 secret 未找到,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/53177381/