【发布时间】:2019-08-17 15:56:43
【问题描述】:
我的letsencrypt 订单一直处于待处理状态。我在我的单节点 kubernetes 平面上使用 cert-manager。我也在使用letsencrypt。
kind: Certificate
metadata:
name: example-zone
namespace: default
spec:
secretName: example-zone-tls
renewBefore: 360h # 15d
commonName: example.zone
dnsNames:
- example.zone
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
输出:
pascal$ kubectl get cert,order
NAME READY SECRET AGE
certificate.certmanager.k8s.io/example-zone False example-zone-tls 79m
NAME STATE AGE
order.certmanager.k8s.io/example-zone-2971070786 pending 77m
收到的事件:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning NoMatchingSolver 15s cert-manager Failed to create challenge for domain "example.zone": no configured challenge solvers can be used for this challenge
证书应该颁发,但我认为它挂在我的 haproxy 中。没有错误,我不完全知道如何使用 haproxy 公开 acme 挑战,有人可以解释一下吗?
我的 ClusterIssuer:
pascal$ kubectl describe clusterissuer letsencrypt-prod
Name: letsencrypt-prod
Namespace: # yep, it's empty!?
Labels: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: ClusterIssuer
Spec:
Acme:
Email: <my-real-mail>
Http 01:
Ingress Class: haproxy
Private Key Secret Ref:
Name: letsencrypt-prod
Server: https://acme-v02.api.letsencrypt.org/directory
Status:
Acme:
Last Registered Email: <my-real-mail>
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/<hash>
Conditions:
Last Transition Time: 2019-08-17T11:49:05Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
【问题讨论】:
-
你能分享
kubectl describe order example-zone-2971070786的(适当编辑的)输出吗? -
您是否有机会尝试颁发通配符证书?
-
否 :/ 是否有可能因为我自己的入口尝试绑定请求而无法访问挑战?所以挑战 Ingress 不起作用?
-
我真的不知道,但我认为我达到了问题限制:发布另一个子域工作正常,但现在 haproxy 不会将它提供给我的客户:?
-
你能把你的clusterissuer的yaml贴出来
标签: kubernetes haproxy lets-encrypt cert-manager