我正在使用 cert-manager 来管理 Kubernetes 集群中的 ssl 证书。 cert-manager 创建 pod 和挑战,但挑战永远不会得到满足。他们总是说:
Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://somedomain/.well-known/acme-challenge/VqlmMCsb019CCFDggs03RyBLZJ0jo53LO...': Get "http://somedomain/.well-known/acme-challenge/VqlmMCsb019CCFDggs03RyBLZJ0jo53LO...": EOF
但是当我打开网址(http:///.well-known/acme-challenge/VqlmMCsb019CCFDggs03RyBLZJ0jo53LO...)时,它会返回预期的代码:
vzCVdTk1q55MQCNH...zVkKYGvBJkRTvDBHQ.YfUcSfIKvWo_MIULP9jvYcgtsGxwfJMLWUGsB5kFKRc
当我做
kubectl get certs ,它表示证书已准备就绪:姓名
准备好
secret
年龄
crt1
真的
crt1- secret
65m
crt1- secret
真的
crt1- secret
65m
crt2
真的
crt2- secret
65m
crt2- secret
真的
crt2- secret
65m
看起来 Let's Encrypt 从不调用(或证书管理器从不指示)这些 url 进行验证。
当我列出挑战时
kubectl describe challenges , 它说:Name: crt-secret-hcgcf-269956107-974455061
Namespace: default
Labels: <none>
Annotations: <none>
API Version: acme.cert-manager.io/v1
Kind: Challenge
Metadata:
Creation Timestamp: 2021-07-23T10:47:27Z
Finalizers:
finalizer.acme.cert-manager.io
Generation: 1
Managed Fields:
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:finalizers:
.:
v:"finalizer.acme.cert-manager.io":
f:ownerReferences:
.:
k:{"uid":"09e39ad0-cc39-421f-80d2-07c2f82680af"}:
.:
f:apiVersion:
f:blockOwnerDeletion:
f:controller:
f:kind:
f:name:
f:uid:
f:spec:
.:
f:authorizationURL:
f:dnsName:
f:issuerRef:
.:
f:group:
f:kind:
f:name:
f:key:
f:solver:
.:
f:http01:
.:
f:ingress:
.:
f:class:
f:ingressTemplate:
UID: 09e39ad0-cc39-421f-80d2-07c2f82680af
Resource Version: 19014474
UID: b914ad18-2f5c-45cd-aa34-4ad7a2786536
Spec:
Authorization URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/1547...9301
Dns Name: mydomain.something
Issuer Ref:
Group: cert-manager.io
Kind: Issuer
Name: letsencrypt
Key: VqlmMCsb019CCFDggs03RyBLZ...nc767h_g.YfUcSfIKv...GxwfJMLWUGsB5kFKRc
Solver:
http01:
Ingress:
Class: nginx
Ingress Template:
Metadata:
Annotations:
nginx.org/mergeable-ingress-type: minion
Service Type: ClusterIP
Token: VqlmMCsb019CC...03RyBLZJ0jo53LOiqnc767h_g
Type: HTTP-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/15...49301/X--4pw
Wildcard: false
Events: <none>
更新1:
当我运行
curl http://some-domain.tld/.well-known/acme-challenge/VqlmMCsb019CC...gs03RyBLZJ0jo53LOiqnc767h_g在另一个 pod 中,它返回:curl: (52) Empty reply from server
当我在本地(在我的 PC 上)执行此操作时,它会返回给我预期的挑战响应。
最佳答案
确保您的 POD 在主页 URL 或您在 上配置的域的主页上返回某些内容。入口主持人
您也可以使用 DNS-01 验证方法 HTTP-01 不管用
这里是 的示例DNS-01 :
通配符 证书 与 cert-manager例子
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: test123@gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- selector:
dnsZones:
- "devops.example.in"
dns01:
route53:
region: us-east-1
hostedZoneID: Z0152EXAMPLE
accessKeyID: AKIA5EXAMPLE
secretAccessKeySecretRef:
name: route53-secret
key: secret-access-key
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: le-crt
spec:
secretName: tls-secret
issuerRef:
kind: Issuer
name: letsencrypt-prod
commonName: "*.devops.example.in"
dnsNames:
- "*.devops.example.in"
关于ssl - 证书管理器挑战悬而未决,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/68498856/