无法在 GKE 中使用 Cert-Manager 和 NGINX 入口控制器分配证书

【问题标题】:Unable to assign certificate using Cert-Manager and NGINX ingress controller in GKE无法在 GKE 中使用 Cert-Manager 和 NGINX 入口控制器分配证书
【发布时间】:2020-07-19 13:54:25
【问题描述】:

我正在使用 Nginx Ingress 控制器(Internal Ingress)和 Cert-manger 0.15.1 helm 图表。 Kubernetes 版本:1.14.x

我的证书状态未变为 True。我尝试过使用两种类型的挑战者 DNS01 和 HTTP01。一样的。 错误:

Attaching screen shots[![Kubernetes Ingress Controller Fake Certificate][1]][1]

cluster-issuer.yaml

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
 name: letsencrypt-staging
 namespace: cert-manager
spec:
 acme:
   # The ACME server URL
   server: https://acme-staging-v02.api.letsencrypt.org/directory
   # Email address used for ACME registration
   email: <email>
   # Name of a secret used to store the ACME account private key
   privateKeySecretRef:
     name: letsencrypt-staging
   # Enable the HTTP-01 challenge provider
   solvers:
   - http01:
       ingress:
         class:  nginx

Ingress.yaml

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-devtools-ilb-https
  namespace: <>
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.class: "nginx" 
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    cert-manager.io/issuer: "letsencrypt-staging"
spec:
  tls:
    - hosts:
        - domain.con
      secretName: create-new-secret
  rules:
    - host: domain.com
      http:
        paths:
          - path: "/"
            backend:
              serviceName: hello-service
              servicePort: hello-port
          - path: "/kube"
            backend:
              serviceName: hello-kubernetes
              servicePort: 80

kubectl 描述证书创建新秘密

Name:         create-new-secret
Namespace:    
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1alpha2
Kind:         Certificate
Metadata:
  Creation Timestamp:  2020-07-19T13:30:01Z
  Generation:          1
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  <ingress-name>
    UID:                   f0b74bb6-c903-11ea-9960-4201ac100008
  Resource Version:        521536
  Self Link:               /apis/cert-manager.io/v1alpha2/namespaces/<namesapce>/certificates/create-new-secret
  UID:                     f2b63e87-c9c3-11ea-bb3e-4201ac100004
Spec:
  Dns Names:
    domain.com
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       Issuer
    Name:       letsencrypt-staging
  Secret Name:  create-new-secret
Status:
  Conditions:
    Last Transition Time:  2020-07-19T13:30:02Z
    Message:               Waiting for CertificateRequest "create-new-secret-2447513806" to complete
    Reason:                InProgress
    Status:                False
    Type:                  Ready
Events:
  Type    Reason        Age   From          Message
  ----    ------        ----  ----          -------
  Normal  GeneratedKey  3m8s  cert-manager  Generated a new private key
  Normal  Requested     3m8s  cert-manager  Created new CertificateRequest resource "create-new-secret-2447513806"

请帮我解决这个问题

【问题讨论】:

    标签: google-kubernetes-engine nginx-ingress cert-manager


    【解决方案1】:

    这是因为您使用的是 Let's Encrypt 的 staging 服务器。 staging服务器只用于测试,你认为没问题后可以移到production服务器。

    您需要使用this 示例创建一个新的颁发者

    将入口注释更改为:

    cert-manager.io/issuer: "letsencrypt-production"

    参考资料:

    https://letsencrypt.org/docs/staging-environment/

    【讨论】:

      【解决方案2】:

      我可以在 DNS01 的帮助下解决这个问题

      Letsencrypt-prod 证书颁发者 ILB

      ---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: cert-issuer
  namespace: <>
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: 
    privateKeySecretRef:
      name: dns-prod-issuer
    solvers:
      - selector: {}
        dns01:
          clouddns:
            project: GCP_project_ID
            serviceAccountSecretRef:
              name: clouddns-dns01-solver-svc-acct
              key: key.json

      Letsencrypt-prod 证书

      ---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: cert
  namespace: <>
spec:
  secretName: cert-secret
  issuerRef:
    name: cert-issuer
    kind: Issuer
  dnsNames:
    - host.domain.com
    - www.host.domain.com

      入口

      ---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-https
  namespace: <>
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
  rules:
    - host: host.domain.com
      http:
        paths:
          - path: "'"
            backend:
              serviceName: 
              servicePort: 
  tls:
    - hosts:
        - host.domain.com
      secretName: cert-secret

      【讨论】:

        猜你喜欢
        • 2021-02-08
        • 2019-01-26
        • 2020-03-24
        • 2020-02-26
        • 1970-01-01
        • 2020-02-21
        • 1970-01-01
        • 2019-07-27
        • 1970-01-01
        相关资源
        最近更新 更多
        热门标签
        Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode