我想得到LetsEncrypt/证书管理器 https://cert-manager.io/docs/installation/kubernetes/运行通过this https://hub.helm.sh/charts/jetstack/cert-manager舵图。 K8s集群位于Digital Ocean上。
我成功了verified https://cert-manager.io/docs/installation/kubernetes/#verifying-the-installation按照建议安装并创建了一个ClusterIssuer
用于登台,1 个用于生产。 (letsencrypt-staging
, letsencrypt-prod
)
问题:acme 挑战返回 404 错误。
$ k get challenge -o wide
NAME STATE DOMAIN REASON AGE
myapp-cert-2315925673-2905389610-1118496475 pending myapp.example.com Waiting for http-01 challenge propagation: wrong status code '404', expected '200' 7m55s
当 Ingress 与端口 80 配合使用时,Ingress 可以正常工作tls
块被注释掉了。当我定义tls
然而,端口 80 上的请求返回 404,这可能就是挑战失败的原因。
注意:使用我的产品时我得到了相同的响应ClusterIssuer
.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: myapp-ingress
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-staging
labels:
app: myapp
spec:
rules:
- host: myapp.example.com
http:
paths:
- backend:
serviceName: myapp
servicePort: 80
tls:
- hosts:
- myapp.example.com
secretName: myapp-cert
:: 编辑以添加更多配置 ::
按照 @Tubc 的要求添加更多配置和日志后,当我更新入口时,Nginx 似乎抛出错误,因为证书不存在。
集群发行者清单:
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected] /cdn-cgi/l/email-protection
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: [email protected] /cdn-cgi/l/email-protection
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
服务清单:
---
apiVersion: v1
kind: Service
metadata:
name: myapp
labels:
app: myapp
spec:
ports:
- port: 80
selector:
app: myapp
tier: fe
type: NodePort
Nginx 日志:
2019/12/08 14:45:44 [emerg] 62#62:无法加载证书“/etc/nginx/secrets/default-myapp-cert”:PEM_read_bio_X509_AUX() 失败(SSL:错误:0909006C:PEM 例程:get_name :无起始行:期望:受信任的证书)
I1208 14:45:44.934644 1 event.go:209] 事件(v1.ObjectReference {种类:“Ingress”,命名空间:“default”,名称:“myapp-ingress”,UID:“610c3304-0565-415d-8cde- 0863bf9325ca",APIVersion:"extensions/v1beta1",ResourceVersion:"319124",FieldPath:""}):类型:'警告'原因:'AddedOrUpdatedWithError'已添加或更新 default/myapp-ingress 的配置,但未应用:为 default/myapp-ingress 重新加载 NGINX 时出错:nginx 重新加载失败:命令 /usr/sbin/nginx -s reload stdout: ""
stderr:“nginx:[emerg]无法加载证书\”/etc/nginx/secrets/default-myapp-cert\“:PEM_read_bio_X509_AUX()失败(SSL:错误:0909006C:PEM例程:get_name:无起始行:预期:受信任的证书)\n"
完成时出现错误:退出状态 1