Kubernetes certbot 独立不工作
Kubernetes certbot standalone not working
我正在尝试在 kubernetes 中使用 certbot/certbot docker 容器生成 SSL 证书。为此,我正在使用 Job controller,这看起来是最合适的选择。当我 运行 独立选项时,出现以下错误:
Failed authorization procedure. staging.ishankhare.com (http-01):
urn:ietf:params:acme:error:connection :: The server could not connect
to the client to verify the domain :: Fetching
http://staging.ishankhare.com/.well-known/acme-challenge/tpumqbcDWudT7EBsgC7IvtSzZvMAuooQ3PmSPh9yng8:
Timeout during connect (likely firewall problem)
我已通过 运行 一个简单的 nginx 容器确保这不是由于配置错误的 DNS 条目造成的,并且它可以正确解析。以下是我的 Jobs 文件:
apiVersion: batch/v1
kind: Job
metadata:
#labels:
# app: certbot-generator
name: certbot
spec:
template:
metadata:
labels:
app: certbot-generate
spec:
volumes:
- name: certs
containers:
- name: certbot
image: certbot/certbot
command: ["certbot"]
#command: ["yes"]
args: ["certonly", "--noninteractive", "--agree-tos", "--staging", "--standalone", "-d", "staging.ishankhare.com", "-m", "me@ishankhare.com"]
volumeMounts:
- name: certs
mountPath: "/etc/letsencrypt/"
#- name: certs
#mountPath: "/opt/"
ports:
- containerPort: 80
- containerPort: 443
restartPolicy: "OnFailure"
我的服务:
apiVersion: v1
kind: Service
metadata:
name: certbot-lb
labels:
app: certbot-lb
spec:
type: LoadBalancer
loadBalancerIP: 35.189.170.149
ports:
- port: 80
name: "http"
protocol: TCP
- port: 443
name: "tls"
protocol: TCP
selector:
app: certbot-generator
完整的错误信息是这样的:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for staging.ishankhare.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. staging.ishankhare.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://staging.ishankhare.com/.well-known/acme-challenge/tpumqbcDWudT7EBsgC7IvtSzZvMAuooQ3PmSPh9yng8: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: staging.ishankhare.com
Type: connection
Detail: Fetching
http://staging.ishankhare.com/.well-known/acme-challenge/tpumqbcDWudT7EBsgC7IvtSzZvMAuooQ3PmSPh9yng8:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
我也试过 运行将其作为一个简单的 Pod,但无济于事。虽然我仍然觉得 运行 将它作为 Job 完成是要走的路。
首先,请注意您的 Job 定义是有效的,但是 spec.template.metadata.labels.app: certbot-generate 值 不 与您的 Service 定义 spec.selector.app: certbot-generator:一个是certbot-generate,第二个是certbot-generator。因此作业控制器的 pod 运行 永远不会作为端点添加到服务中。
调整一个或另一个,但它们必须匹配,这可能会奏效:)
尽管如此,我不确定将 Service 与 Job 控制器的短期 pods 选择器一起使用是否可行,简单的 Pod 正如你测试的那样。作业创建的 certbot-randomId pod(或您创建的任何简单 pod)总共需要大约 15 秒到 run/fail,并且在 pod 生命仅几秒后触发 HTTP 验证质询:它不是我很清楚,这足以让 kubernetes 代理已经在服务和 pod 之间工作。
我们可以放心地假设 Service 确实有效,因为您提到您测试了 DNS 解析,因此您可以通过添加 sleep 10(或更多! ) 以便在 certbot 触发 HTTP 质询之前 为将 pod 添加为服务端点并适当代理 提供更多时间。只需更改您的 Job 命令和参数:
command: ["/bin/sh"]
args: ["-c", "sleep 10 && certbot certonly --noninteractive --agree-tos --staging --standalone -d staging.ishankhare.com -m me@ishankhare.com"]
在这里也一样,这可能会奏效 :)
话虽如此,我还是强烈建议您使用 cert-manager which you can install easily through its stable Helm chart: the Certificate custom resource that it introduces will store your certificate in a Secret,这将使您可以直接从任何 K8s 资源中重用它,并且它会自动处理续订,因此您可以忘记这一切。
我正在尝试在 kubernetes 中使用 certbot/certbot docker 容器生成 SSL 证书。为此,我正在使用 Job controller,这看起来是最合适的选择。当我 运行 独立选项时,出现以下错误:
Failed authorization procedure. staging.ishankhare.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://staging.ishankhare.com/.well-known/acme-challenge/tpumqbcDWudT7EBsgC7IvtSzZvMAuooQ3PmSPh9yng8: Timeout during connect (likely firewall problem)
我已通过 运行 一个简单的 nginx 容器确保这不是由于配置错误的 DNS 条目造成的,并且它可以正确解析。以下是我的 Jobs 文件:
apiVersion: batch/v1
kind: Job
metadata:
#labels:
# app: certbot-generator
name: certbot
spec:
template:
metadata:
labels:
app: certbot-generate
spec:
volumes:
- name: certs
containers:
- name: certbot
image: certbot/certbot
command: ["certbot"]
#command: ["yes"]
args: ["certonly", "--noninteractive", "--agree-tos", "--staging", "--standalone", "-d", "staging.ishankhare.com", "-m", "me@ishankhare.com"]
volumeMounts:
- name: certs
mountPath: "/etc/letsencrypt/"
#- name: certs
#mountPath: "/opt/"
ports:
- containerPort: 80
- containerPort: 443
restartPolicy: "OnFailure"
我的服务:
apiVersion: v1
kind: Service
metadata:
name: certbot-lb
labels:
app: certbot-lb
spec:
type: LoadBalancer
loadBalancerIP: 35.189.170.149
ports:
- port: 80
name: "http"
protocol: TCP
- port: 443
name: "tls"
protocol: TCP
selector:
app: certbot-generator
完整的错误信息是这样的:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for staging.ishankhare.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. staging.ishankhare.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://staging.ishankhare.com/.well-known/acme-challenge/tpumqbcDWudT7EBsgC7IvtSzZvMAuooQ3PmSPh9yng8: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: staging.ishankhare.com
Type: connection
Detail: Fetching
http://staging.ishankhare.com/.well-known/acme-challenge/tpumqbcDWudT7EBsgC7IvtSzZvMAuooQ3PmSPh9yng8:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
我也试过 运行将其作为一个简单的 Pod,但无济于事。虽然我仍然觉得 运行 将它作为 Job 完成是要走的路。
首先,请注意您的 Job 定义是有效的,但是 spec.template.metadata.labels.app: certbot-generate 值 不 与您的 Service 定义 spec.selector.app: certbot-generator:一个是certbot-generate,第二个是certbot-generator。因此作业控制器的 pod 运行 永远不会作为端点添加到服务中。
调整一个或另一个,但它们必须匹配,这可能会奏效:)
尽管如此,我不确定将 Service 与 Job 控制器的短期 pods 选择器一起使用是否可行,简单的 Pod 正如你测试的那样。作业创建的 certbot-randomId pod(或您创建的任何简单 pod)总共需要大约 15 秒到 run/fail,并且在 pod 生命仅几秒后触发 HTTP 验证质询:它不是我很清楚,这足以让 kubernetes 代理已经在服务和 pod 之间工作。
我们可以放心地假设 Service 确实有效,因为您提到您测试了 DNS 解析,因此您可以通过添加 sleep 10(或更多! ) 以便在 certbot 触发 HTTP 质询之前 为将 pod 添加为服务端点并适当代理 提供更多时间。只需更改您的 Job 命令和参数:
command: ["/bin/sh"]
args: ["-c", "sleep 10 && certbot certonly --noninteractive --agree-tos --staging --standalone -d staging.ishankhare.com -m me@ishankhare.com"]
在这里也一样,这可能会奏效 :)
话虽如此,我还是强烈建议您使用 cert-manager which you can install easily through its stable Helm chart: the Certificate custom resource that it introduces will store your certificate in a Secret,这将使您可以直接从任何 K8s 资源中重用它,并且它会自动处理续订,因此您可以忘记这一切。