让我们使用 Cert-manager 在 GKE 上加密:无效的证书
Let's encrypt on GKE with Cert-manager : Invalid certificate
我正在尝试让 Let's Encrypt 与 GKE 上的证书管理器一起工作。我遵循了以下程序:
单独安装 CustomResourceDefinition 资源
kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml
为证书管理器创建命名空间
kubectl create namespace cert-manager
标记 cert-manager 命名空间以禁用资源验证
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
添加 Jetstack Helm 存储库
helm repo add jetstack https://charts.jetstack.io
更新本地 Helm chart 存储库缓存
helm repo update
安装证书管理器 Helm 图表
helm install \
--name cert-manager \
--namespace cert-manager \
--version v0.7.0 \
jetstack/cert-manager
这导致(在证书管理器命名空间中)
kubectl -n cert-manager get all
NAME READY STATUS
RESTARTS AGE
pod/cert-manager-6d8fc95f98-57c55 1/1 Running 0 26m
pod/cert-manager-cainjector-7c789f4fcc-jdqfs 1/1 Running 0 26m
pod/cert-manager-webhook-86bc6ff498-kcxj8 1/1 Running 0 26m
NAME TYPE CLUSTER-IP EXTERNAL-IP
PORT(S) AGE
service/cert-manager-webhook ClusterIP 10.39.251.139 <none> 443/TCP 26m
...
kubectl -n cert-manager get secrets
NAME TYPE DATA AGE
cert-manager-cainjector-token-mvmsx kubernetes.io/service-account-token 3 30m
cert-manager-token-gk2sp kubernetes.io/service-account-token 3 30m
cert-manager-webhook-ca kubernetes.io/tls 3 30m
cert-manager-webhook-token-6l6k7 kubernetes.io/service-account-token 3 30m
cert-manager-webhook-webhook-tls kubernetes.io/tls 3 30m
default-token-rx6sp kubernetes.io/service-account-token 3 30m
letsencrypt-prod Opaque 1 30m
之后我安装了 webapp(默认)和(也是默认)issuer.yml
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: 'me@me.com'
privateKeySecretRef:
name: letsencrypt-prod
https01: {}
和certificate.yml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: test-tls
spec:
secretName: test-me
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: test.me
dnsNames:
- test.me
- www.test.me
acme:
config:
- http01:
ingressClass: nginx
domains:
- test.me
- www.test.me
在这里,我似乎遇到了一个问题:
...
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod
Secret Name: test-me
Status:
Conditions:
Last Transition Time: 2019-03-27T16:35:40Z
Message: Certificate issuance in progress. Temporary certificate issued.
Reason: TemporaryCertificate
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning IssuerNotFound 4m (x2 over 4m) cert-manager clusterissuer.certmanager.k8s.io "letsencrypt-prod" not found
Warning IssuerNotReady 4m cert-manager Issuer letsencrypt-prod not ready
Normal Generated 4m cert-manager Generated new private key
Normal GenerateSelfSigned 4m cert-manager Generated temporary self signed certificate
Normal OrderCreated 4m cert-manager Created Order resource "test-me-tls-202592384"
它确实超越了这一点。没有证书得到验证...
Ingress 看起来像
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-service
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/add-base-url: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
certmanager.k8s.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- test.me
- www.test.me
secretName: test-me
rules:
- host: test.me
http:
paths:
- path: /
backend:
serviceName: web-cluster-ip-service
servicePort: 80
- host: www.test.me
http:
paths:
- path: /
backend:
serviceName: web-cluster-ip-service
servicePort: 80
最终,我的网站因证书无效而变得不安全。
颁发给:
Common Name (CN) test.me
Organization (O) cert-manager
Organizational Unit (OU) <Not Part Of Certificate>
发布者:
公用名 (CN) cert-manager.local
组织 (O) 证书管理器
组织单位 (OU)
证书无效,我错过了什么。
https01(在 issuer.yml 中)是一个拼写错误:这应该是 http01
我正在尝试让 Let's Encrypt 与 GKE 上的证书管理器一起工作。我遵循了以下程序:
单独安装 CustomResourceDefinition 资源
kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml
为证书管理器创建命名空间
kubectl create namespace cert-manager
标记 cert-manager 命名空间以禁用资源验证
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
添加 Jetstack Helm 存储库
helm repo add jetstack https://charts.jetstack.io
更新本地 Helm chart 存储库缓存
helm repo update
安装证书管理器 Helm 图表
helm install \
--name cert-manager \
--namespace cert-manager \
--version v0.7.0 \
jetstack/cert-manager
这导致(在证书管理器命名空间中)
kubectl -n cert-manager get all
NAME READY STATUS
RESTARTS AGE
pod/cert-manager-6d8fc95f98-57c55 1/1 Running 0 26m
pod/cert-manager-cainjector-7c789f4fcc-jdqfs 1/1 Running 0 26m
pod/cert-manager-webhook-86bc6ff498-kcxj8 1/1 Running 0 26m
NAME TYPE CLUSTER-IP EXTERNAL-IP
PORT(S) AGE
service/cert-manager-webhook ClusterIP 10.39.251.139 <none> 443/TCP 26m
...
kubectl -n cert-manager get secrets
NAME TYPE DATA AGE
cert-manager-cainjector-token-mvmsx kubernetes.io/service-account-token 3 30m
cert-manager-token-gk2sp kubernetes.io/service-account-token 3 30m
cert-manager-webhook-ca kubernetes.io/tls 3 30m
cert-manager-webhook-token-6l6k7 kubernetes.io/service-account-token 3 30m
cert-manager-webhook-webhook-tls kubernetes.io/tls 3 30m
default-token-rx6sp kubernetes.io/service-account-token 3 30m
letsencrypt-prod Opaque 1 30m
之后我安装了 webapp(默认)和(也是默认)issuer.yml
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: 'me@me.com'
privateKeySecretRef:
name: letsencrypt-prod
https01: {}
和certificate.yml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: test-tls
spec:
secretName: test-me
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: test.me
dnsNames:
- test.me
- www.test.me
acme:
config:
- http01:
ingressClass: nginx
domains:
- test.me
- www.test.me
在这里,我似乎遇到了一个问题:
...
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod
Secret Name: test-me
Status:
Conditions:
Last Transition Time: 2019-03-27T16:35:40Z
Message: Certificate issuance in progress. Temporary certificate issued.
Reason: TemporaryCertificate
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning IssuerNotFound 4m (x2 over 4m) cert-manager clusterissuer.certmanager.k8s.io "letsencrypt-prod" not found
Warning IssuerNotReady 4m cert-manager Issuer letsencrypt-prod not ready
Normal Generated 4m cert-manager Generated new private key
Normal GenerateSelfSigned 4m cert-manager Generated temporary self signed certificate
Normal OrderCreated 4m cert-manager Created Order resource "test-me-tls-202592384"
它确实超越了这一点。没有证书得到验证...
Ingress 看起来像
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-service
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/add-base-url: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
certmanager.k8s.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- test.me
- www.test.me
secretName: test-me
rules:
- host: test.me
http:
paths:
- path: /
backend:
serviceName: web-cluster-ip-service
servicePort: 80
- host: www.test.me
http:
paths:
- path: /
backend:
serviceName: web-cluster-ip-service
servicePort: 80
最终,我的网站因证书无效而变得不安全。
颁发给:
Common Name (CN) test.me
Organization (O) cert-manager
Organizational Unit (OU) <Not Part Of Certificate>
发布者: 公用名 (CN) cert-manager.local 组织 (O) 证书管理器 组织单位 (OU)
证书无效,我错过了什么。
https01(在 issuer.yml 中)是一个拼写错误:这应该是 http01