证书管理器颁发的证书读作 "issued by: cert-manager.local" 而不是 Let's Encrypt 并且不起作用
Certificate issued by cert manager reads as "issued by: cert-manager.local" instead of Let's Encrypt and does not work
当我从Chrome浏览我的网站时,它说证书无效,如果我查看详细信息,我看到的是:
Issued to:
Common Name (CN) test.x.example.com
Organization (O) cert-manager
Organizational Unit (OU) <Not Part Of Certificate>
Issued by:
Common Name (CN) cert-manager.local
Organization (O) cert-manager
Organizational Unit (OU) <Not Part Of Certificate>
我不明白出了什么问题。从 cert-manager 的输出来看,一切似乎都很顺利:
I1002 15:56:52.761583 1 start.go:76] cert-manager "level"=0 "msg"="starting controller" "git-commit"="95e8b7de" "version"="v0.9.1"
I1002 15:56:52.765337 1 controller.go:169] cert-manager/controller/build-context "level"=0 "msg"="configured acme dns01 nameservers" "nameservers"=["10.44.0.10:53"]
I1002 15:56:52.765777 1 controller.go:134] cert-manager/controller "level"=0 "msg"="starting leader election"
I1002 15:56:52.767133 1 leaderelection.go:235] attempting to acquire leader lease cert-manager/cert-manager-controller...
I1002 15:56:52.767946 1 metrics.go:203] cert-manager/metrics "level"=0 "msg"="listening for connections on" "address"="0.0.0.0:9402"
I1002 15:58:18.940473 1 leaderelection.go:245] successfully acquired lease cert-manager/cert-manager-controller
I1002 15:58:19.043002 1 controller.go:109] cert-manager/controller "level"=0 "msg"="starting controller" "controller"="challenges"
I1002 15:58:19.043050 1 base_controller.go:132] cert-manager/controller/challenges "level"=0 "msg"="starting control loop"
I1002 15:58:19.043104 1 controller.go:91] cert-manager/controller "level"=0 "msg"="not starting controller as it's disabled" "controller"="certificates-experimental"
I1002 15:58:19.043174 1 controller.go:109] cert-manager/controller "level"=0 "msg"="starting controller" "controller"="orders"
I1002 15:58:19.043200 1 base_controller.go:132] cert-manager/controller/orders "level"=0 "msg"="starting control loop"
I1002 15:58:19.043376 1 controller.go:109] cert-manager/controller "level"=0 "msg"="starting controller" "controller"="certificates"
I1002 15:58:19.043410 1 base_controller.go:132] cert-manager/controller/certificates "level"=0 "msg"="starting control loop"
I1002 15:58:19.043646 1 controller.go:91] cert-manager/controller "level"=0 "msg"="not starting controller as it's disabled" "controller"="certificaterequests-issuer-ca"
I1002 15:58:19.044292 1 controller.go:109] cert-manager/controller "level"=0 "msg"="starting controller" "controller"="clusterissuers"
I1002 15:58:19.044459 1 base_controller.go:132] cert-manager/controller/clusterissuers "level"=0 "msg"="starting control loop"
I1002 15:58:19.044617 1 controller.go:109] cert-manager/controller "level"=0 "msg"="starting controller" "controller"="ingress-shim"
I1002 15:58:19.044742 1 base_controller.go:132] cert-manager/controller/ingress-shim "level"=0 "msg"="starting control loop"
I1002 15:58:19.044959 1 controller.go:109] cert-manager/controller "level"=0 "msg"="starting controller" "controller"="issuers"
I1002 15:58:19.045110 1 base_controller.go:132] cert-manager/controller/issuers "level"=0 "msg"="starting control loop"
E1002 15:58:19.082958 1 base_controller.go:91] cert-manager/controller/certificates/handleOwnedResource "msg"="error getting order referenced by resource" "error"="certificate.certmanager.k8s.io \"api-certificate\" not found" "related_resource_kind"="Certificate" "related_resource_name"="api-certificate" "related_resource_namespace"="staging" "resource_kind"="Order" "resource_name"="api-certificate-3031097725" "resource_namespace"="staging"
I1002 15:58:19.143501 1 base_controller.go:187] cert-manager/controller/orders "level"=0 "msg"="syncing item" "key"="staging/api-certificate-3031097725"
I1002 15:58:19.143602 1 base_controller.go:187] cert-manager/controller/certificates "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.143677 1 base_controller.go:187] cert-manager/controller/certificates "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-webhook-tls"
I1002 15:58:19.144011 1 sync.go:304] cert-manager/controller/orders "level"=0 "msg"="need to create challenges" "resource_kind"="Order" "resource_name"="api-certificate-3031097725" "resource_namespace"="staging" "number"=0
I1002 15:58:19.144043 1 logger.go:43] Calling GetOrder
I1002 15:58:19.144033 1 conditions.go:154] Setting lastTransitionTime for Certificate "cert-manager-webhook-webhook-tls" condition "Ready" to 2019-10-02 15:58:19.144027373 +0000 UTC m=+86.444394730
I1002 15:58:19.145112 1 conditions.go:154] Setting lastTransitionTime for Certificate "cert-manager-webhook-ca" condition "Ready" to 2019-10-02 15:58:19.145103359 +0000 UTC m=+86.445470721
I1002 15:58:19.145593 1 base_controller.go:187] cert-manager/controller/certificates "level"=0 "msg"="syncing item" "key"="staging/api-certificate"
I1002 15:58:19.147411 1 issue.go:169] cert-manager/controller/certificates/certificates "level"=0 "msg"="Order is not in 'valid' state. Waiting for Order to transition before attempting to issue Certificate." "related_resource_kind"="Order" "related_resource_name"="api-certificate-3031097725" "related_resource_namespace"="staging"
I1002 15:58:19.148059 1 base_controller.go:187] cert-manager/controller/issuers "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.148099 1 base_controller.go:187] cert-manager/controller/ingress-shim "level"=0 "msg"="syncing item" "key"="staging/example-ingress"
I1002 15:58:19.148906 1 sync.go:71] cert-manager/controller/ingress-shim "level"=0 "msg"="not syncing ingress resource as it does not contain a \"certmanager.k8s.io/issuer\" or \"certmanager.k8s.io/cluster-issuer\" annotation" "resource_kind"="Ingress" "resource_name"="example-ingress" "resource_namespace"="staging"
I1002 15:58:19.148925 1 base_controller.go:193] cert-manager/controller/ingress-shim "level"=0 "msg"="finished processing work item" "key"="staging/example-ingress"
I1002 15:58:19.148133 1 base_controller.go:187] cert-manager/controller/issuers "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-selfsign"
I1002 15:58:19.148963 1 conditions.go:91] Setting lastTransitionTime for Issuer "cert-manager-webhook-selfsign" condition "Ready" to 2019-10-02 15:58:19.148956891 +0000 UTC m=+86.449324275
I1002 15:58:19.149567 1 setup.go:73] cert-manager/controller/issuers/setup "level"=0 "msg"="signing CA verified" "related_resource_kind"="Secret" "related_resource_name"="cert-manager-webhook-ca" "related_resource_namespace"="cert-manager" "resource_kind"="Issuer" "resource_name"="cert-manager-webhook-ca" "resource_namespace"="cert-manager"
I1002 15:58:19.149759 1 conditions.go:91] Setting lastTransitionTime for Issuer "cert-manager-webhook-ca" condition "Ready" to 2019-10-02 15:58:19.149752693 +0000 UTC m=+86.450120071
I1002 15:58:19.148155 1 base_controller.go:187] cert-manager/controller/issuers "level"=0 "msg"="syncing item" "key"="default/letsencrypt-staging"
I1002 15:58:19.150457 1 setup.go:160] cert-manager/controller/issuers "level"=0 "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-staging" "related_resource_namespace"="default" "resource_kind"="Issuer" "resource_name"="letsencrypt-staging" "resource_namespace"="default"
I1002 15:58:19.148177 1 base_controller.go:187] cert-manager/controller/issuers "level"=0 "msg"="syncing item" "key"="staging/letsencrypt-staging-issuer"
I1002 15:58:19.148630 1 base_controller.go:193] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="staging/api-certificate"
I1002 15:58:19.150669 1 base_controller.go:193] cert-manager/controller/issuers "level"=0 "msg"="finished processing work item" "key"="default/letsencrypt-staging"
I1002 15:58:19.151696 1 setup.go:160] cert-manager/controller/issuers "level"=0 "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-staging-secret-key" "related_resource_namespace"="staging" "resource_kind"="Issuer" "resource_name"="letsencrypt-staging-issuer" "resource_namespace"="staging"
I1002 15:58:19.151975 1 base_controller.go:193] cert-manager/controller/issuers "level"=0 "msg"="finished processing work item" "key"="staging/letsencrypt-staging-issuer"
I1002 15:58:19.153763 1 base_controller.go:193] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-webhook-tls"
I1002 15:58:19.156512 1 base_controller.go:193] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.157047 1 base_controller.go:187] cert-manager/controller/certificates "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-webhook-tls"
I1002 15:58:19.157659 1 base_controller.go:187] cert-manager/controller/certificates "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.158671 1 base_controller.go:193] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.158827 1 base_controller.go:193] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-webhook-tls"
I1002 15:58:19.171562 1 base_controller.go:193] cert-manager/controller/issuers "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.172759 1 base_controller.go:187] cert-manager/controller/issuers "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.173387 1 setup.go:73] cert-manager/controller/issuers/setup "level"=0 "msg"="signing CA verified" "related_resource_kind"="Secret" "related_resource_name"="cert-manager-webhook-ca" "related_resource_namespace"="cert-manager" "resource_kind"="Issuer" "resource_name"="cert-manager-webhook-ca" "resource_namespace"="cert-manager"
I1002 15:58:19.173465 1 base_controller.go:193] cert-manager/controller/issuers "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.173562 1 base_controller.go:187] cert-manager/controller/certificates "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-webhook-tls"
I1002 15:58:19.174168 1 sync.go:329] cert-manager/controller/certificates/certificates "level"=0 "msg"="certificate scheduled for renewal" "duration_until_renewal"="6905h41m20.825882558s" "related_resource_kind"="Secret" "related_resource_name"="cert-manager-webhook-webhook-tls" "related_resource_namespace"="cert-manager"
I1002 15:58:19.174487 1 base_controller.go:193] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-webhook-tls"
I1002 15:58:19.175092 1 base_controller.go:193] cert-manager/controller/issuers "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-selfsign"
I1002 15:58:19.175489 1 base_controller.go:187] cert-manager/controller/issuers "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-selfsign"
I1002 15:58:19.175743 1 base_controller.go:193] cert-manager/controller/issuers "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-selfsign"
I1002 15:58:19.175978 1 base_controller.go:187] cert-manager/controller/certificates "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.176791 1 sync.go:329] cert-manager/controller/certificates/certificates "level"=0 "msg"="certificate scheduled for renewal" "duration_until_renewal"="41945h41m15.823245228s" "related_resource_kind"="Secret" "related_resource_name"="cert-manager-webhook-ca" "related_resource_namespace"="cert-manager"
I1002 15:58:19.177118 1 base_controller.go:193] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.807942 1 base_controller.go:193] cert-manager/controller/orders "level"=0 "msg"="finished processing work item" "key"="staging/api-certificate-3031097725"
这是我的配置。
入口
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: example-ingress
annotations:
kubernetes.io/ingress.class: nginx
spec:
tls:
- hosts:
- test.x.example.com
secretName: letsencrypt-staging-certificate-secret
rules:
- host: test.x.example.com
http:
paths:
- path: /
backend:
serviceName: example-frontend
servicePort: 80
发行人
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-staging-issuer
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: my-email@example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging-secret-key
# Enable the HTTP-01 challenge provider
solvers:
- http01: {}
证书
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: test-x-example-com
spec:
secretName: letsencrypt-staging-certificate-secret
issuerRef:
name: letsencrypt-staging-issuer
kind: Issuer
dnsNames:
- test.x.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- test.x.example.com
其他详细信息:机密位于 staging
命名空间中,与其他所有内容一样,但证书管理器位于 cert-manager
命名空间中。集群部署在GKE上。
编辑:我想知道我是否有可能在 Let's Encrypt 中达到生产环境的限制并被阻止。是否可以在某处验证?
我最终主要通过编辑证书配置解决了这个问题。我也从 Issuer 切换到 ClusterIssuer 但这应该不会对此问题产生任何影响。我认为问题出在 ACME 验证上。
这是我的新 ClusterIssuer:
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging-issuer
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: my-email@example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging-secret-key
# Enable the HTTP-01 challenge provider
http01: {}
更重要的是,新证书:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: test-x-example-com
spec:
secretName: letsencrypt-staging-certificate-secret
issuerRef:
name: letsencrypt-staging-issuer
kind: ClusterIssuer
dnsNames:
- test.x.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- test.x.example.com
我遇到了类似的问题,证书上的颁发者是 cert-manager.local
而不是 Let's Encrypt
。
TL;DR;
我的解决方案是将以下内容添加到我的 ingress-nginx-controller
配置中,其中 api.mydomain.com
是配置为指向 DigitalOcean 上的 K8S 负载均衡器的 DNS:
service.beta.kubernetes.io/do-loadbalancer-hostname: "api.mydomain.com"
更详细的解决方法:
原来我什至没有点击 lets encrypt api(通过证书管理器)。我找到了这个 link,并且可以验证甚至没有为我的域创建证书:
https://crt.sh/?q=example.com(只需将 example.com 更改为您的域)
有趣的是,我最初的自我检查没有问题,但在 2 天扯掉我的头发并尝试重新安装 cert-manager 的 4 次尝试后,出现了这个错误,我发现了这个 link:
安装ingress-controller后
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/do/deploy.yaml
我不得不用以下内容覆盖 ingress-nginx-controller
配置:
apiVersion: v1
kind: Service
metadata:
annotations:
#
service.beta.kubernetes.io/do-loadbalancer-hostname: "api.mydomain.com"
service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
labels:
helm.sh/chart: ingress-nginx-4.0.1
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
type: LoadBalancer
# externalTrafficPolicy: Local
externalTrafficPolicy: Cluster
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
appProtocol: http
- name: https
port: 443
protocol: TCP
targetPort: https
appProtocol: https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
部署此更新的 ingress-nginx-controller
配置后,创建了正确的证书,在 https://crt.sh 上可见,我可以通过 https 访问我的域,而不会在浏览器上出现错误。
当我从Chrome浏览我的网站时,它说证书无效,如果我查看详细信息,我看到的是:
Issued to:
Common Name (CN) test.x.example.com
Organization (O) cert-manager
Organizational Unit (OU) <Not Part Of Certificate>
Issued by:
Common Name (CN) cert-manager.local
Organization (O) cert-manager
Organizational Unit (OU) <Not Part Of Certificate>
我不明白出了什么问题。从 cert-manager 的输出来看,一切似乎都很顺利:
I1002 15:56:52.761583 1 start.go:76] cert-manager "level"=0 "msg"="starting controller" "git-commit"="95e8b7de" "version"="v0.9.1"
I1002 15:56:52.765337 1 controller.go:169] cert-manager/controller/build-context "level"=0 "msg"="configured acme dns01 nameservers" "nameservers"=["10.44.0.10:53"]
I1002 15:56:52.765777 1 controller.go:134] cert-manager/controller "level"=0 "msg"="starting leader election"
I1002 15:56:52.767133 1 leaderelection.go:235] attempting to acquire leader lease cert-manager/cert-manager-controller...
I1002 15:56:52.767946 1 metrics.go:203] cert-manager/metrics "level"=0 "msg"="listening for connections on" "address"="0.0.0.0:9402"
I1002 15:58:18.940473 1 leaderelection.go:245] successfully acquired lease cert-manager/cert-manager-controller
I1002 15:58:19.043002 1 controller.go:109] cert-manager/controller "level"=0 "msg"="starting controller" "controller"="challenges"
I1002 15:58:19.043050 1 base_controller.go:132] cert-manager/controller/challenges "level"=0 "msg"="starting control loop"
I1002 15:58:19.043104 1 controller.go:91] cert-manager/controller "level"=0 "msg"="not starting controller as it's disabled" "controller"="certificates-experimental"
I1002 15:58:19.043174 1 controller.go:109] cert-manager/controller "level"=0 "msg"="starting controller" "controller"="orders"
I1002 15:58:19.043200 1 base_controller.go:132] cert-manager/controller/orders "level"=0 "msg"="starting control loop"
I1002 15:58:19.043376 1 controller.go:109] cert-manager/controller "level"=0 "msg"="starting controller" "controller"="certificates"
I1002 15:58:19.043410 1 base_controller.go:132] cert-manager/controller/certificates "level"=0 "msg"="starting control loop"
I1002 15:58:19.043646 1 controller.go:91] cert-manager/controller "level"=0 "msg"="not starting controller as it's disabled" "controller"="certificaterequests-issuer-ca"
I1002 15:58:19.044292 1 controller.go:109] cert-manager/controller "level"=0 "msg"="starting controller" "controller"="clusterissuers"
I1002 15:58:19.044459 1 base_controller.go:132] cert-manager/controller/clusterissuers "level"=0 "msg"="starting control loop"
I1002 15:58:19.044617 1 controller.go:109] cert-manager/controller "level"=0 "msg"="starting controller" "controller"="ingress-shim"
I1002 15:58:19.044742 1 base_controller.go:132] cert-manager/controller/ingress-shim "level"=0 "msg"="starting control loop"
I1002 15:58:19.044959 1 controller.go:109] cert-manager/controller "level"=0 "msg"="starting controller" "controller"="issuers"
I1002 15:58:19.045110 1 base_controller.go:132] cert-manager/controller/issuers "level"=0 "msg"="starting control loop"
E1002 15:58:19.082958 1 base_controller.go:91] cert-manager/controller/certificates/handleOwnedResource "msg"="error getting order referenced by resource" "error"="certificate.certmanager.k8s.io \"api-certificate\" not found" "related_resource_kind"="Certificate" "related_resource_name"="api-certificate" "related_resource_namespace"="staging" "resource_kind"="Order" "resource_name"="api-certificate-3031097725" "resource_namespace"="staging"
I1002 15:58:19.143501 1 base_controller.go:187] cert-manager/controller/orders "level"=0 "msg"="syncing item" "key"="staging/api-certificate-3031097725"
I1002 15:58:19.143602 1 base_controller.go:187] cert-manager/controller/certificates "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.143677 1 base_controller.go:187] cert-manager/controller/certificates "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-webhook-tls"
I1002 15:58:19.144011 1 sync.go:304] cert-manager/controller/orders "level"=0 "msg"="need to create challenges" "resource_kind"="Order" "resource_name"="api-certificate-3031097725" "resource_namespace"="staging" "number"=0
I1002 15:58:19.144043 1 logger.go:43] Calling GetOrder
I1002 15:58:19.144033 1 conditions.go:154] Setting lastTransitionTime for Certificate "cert-manager-webhook-webhook-tls" condition "Ready" to 2019-10-02 15:58:19.144027373 +0000 UTC m=+86.444394730
I1002 15:58:19.145112 1 conditions.go:154] Setting lastTransitionTime for Certificate "cert-manager-webhook-ca" condition "Ready" to 2019-10-02 15:58:19.145103359 +0000 UTC m=+86.445470721
I1002 15:58:19.145593 1 base_controller.go:187] cert-manager/controller/certificates "level"=0 "msg"="syncing item" "key"="staging/api-certificate"
I1002 15:58:19.147411 1 issue.go:169] cert-manager/controller/certificates/certificates "level"=0 "msg"="Order is not in 'valid' state. Waiting for Order to transition before attempting to issue Certificate." "related_resource_kind"="Order" "related_resource_name"="api-certificate-3031097725" "related_resource_namespace"="staging"
I1002 15:58:19.148059 1 base_controller.go:187] cert-manager/controller/issuers "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.148099 1 base_controller.go:187] cert-manager/controller/ingress-shim "level"=0 "msg"="syncing item" "key"="staging/example-ingress"
I1002 15:58:19.148906 1 sync.go:71] cert-manager/controller/ingress-shim "level"=0 "msg"="not syncing ingress resource as it does not contain a \"certmanager.k8s.io/issuer\" or \"certmanager.k8s.io/cluster-issuer\" annotation" "resource_kind"="Ingress" "resource_name"="example-ingress" "resource_namespace"="staging"
I1002 15:58:19.148925 1 base_controller.go:193] cert-manager/controller/ingress-shim "level"=0 "msg"="finished processing work item" "key"="staging/example-ingress"
I1002 15:58:19.148133 1 base_controller.go:187] cert-manager/controller/issuers "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-selfsign"
I1002 15:58:19.148963 1 conditions.go:91] Setting lastTransitionTime for Issuer "cert-manager-webhook-selfsign" condition "Ready" to 2019-10-02 15:58:19.148956891 +0000 UTC m=+86.449324275
I1002 15:58:19.149567 1 setup.go:73] cert-manager/controller/issuers/setup "level"=0 "msg"="signing CA verified" "related_resource_kind"="Secret" "related_resource_name"="cert-manager-webhook-ca" "related_resource_namespace"="cert-manager" "resource_kind"="Issuer" "resource_name"="cert-manager-webhook-ca" "resource_namespace"="cert-manager"
I1002 15:58:19.149759 1 conditions.go:91] Setting lastTransitionTime for Issuer "cert-manager-webhook-ca" condition "Ready" to 2019-10-02 15:58:19.149752693 +0000 UTC m=+86.450120071
I1002 15:58:19.148155 1 base_controller.go:187] cert-manager/controller/issuers "level"=0 "msg"="syncing item" "key"="default/letsencrypt-staging"
I1002 15:58:19.150457 1 setup.go:160] cert-manager/controller/issuers "level"=0 "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-staging" "related_resource_namespace"="default" "resource_kind"="Issuer" "resource_name"="letsencrypt-staging" "resource_namespace"="default"
I1002 15:58:19.148177 1 base_controller.go:187] cert-manager/controller/issuers "level"=0 "msg"="syncing item" "key"="staging/letsencrypt-staging-issuer"
I1002 15:58:19.148630 1 base_controller.go:193] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="staging/api-certificate"
I1002 15:58:19.150669 1 base_controller.go:193] cert-manager/controller/issuers "level"=0 "msg"="finished processing work item" "key"="default/letsencrypt-staging"
I1002 15:58:19.151696 1 setup.go:160] cert-manager/controller/issuers "level"=0 "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-staging-secret-key" "related_resource_namespace"="staging" "resource_kind"="Issuer" "resource_name"="letsencrypt-staging-issuer" "resource_namespace"="staging"
I1002 15:58:19.151975 1 base_controller.go:193] cert-manager/controller/issuers "level"=0 "msg"="finished processing work item" "key"="staging/letsencrypt-staging-issuer"
I1002 15:58:19.153763 1 base_controller.go:193] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-webhook-tls"
I1002 15:58:19.156512 1 base_controller.go:193] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.157047 1 base_controller.go:187] cert-manager/controller/certificates "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-webhook-tls"
I1002 15:58:19.157659 1 base_controller.go:187] cert-manager/controller/certificates "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.158671 1 base_controller.go:193] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.158827 1 base_controller.go:193] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-webhook-tls"
I1002 15:58:19.171562 1 base_controller.go:193] cert-manager/controller/issuers "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.172759 1 base_controller.go:187] cert-manager/controller/issuers "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.173387 1 setup.go:73] cert-manager/controller/issuers/setup "level"=0 "msg"="signing CA verified" "related_resource_kind"="Secret" "related_resource_name"="cert-manager-webhook-ca" "related_resource_namespace"="cert-manager" "resource_kind"="Issuer" "resource_name"="cert-manager-webhook-ca" "resource_namespace"="cert-manager"
I1002 15:58:19.173465 1 base_controller.go:193] cert-manager/controller/issuers "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.173562 1 base_controller.go:187] cert-manager/controller/certificates "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-webhook-tls"
I1002 15:58:19.174168 1 sync.go:329] cert-manager/controller/certificates/certificates "level"=0 "msg"="certificate scheduled for renewal" "duration_until_renewal"="6905h41m20.825882558s" "related_resource_kind"="Secret" "related_resource_name"="cert-manager-webhook-webhook-tls" "related_resource_namespace"="cert-manager"
I1002 15:58:19.174487 1 base_controller.go:193] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-webhook-tls"
I1002 15:58:19.175092 1 base_controller.go:193] cert-manager/controller/issuers "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-selfsign"
I1002 15:58:19.175489 1 base_controller.go:187] cert-manager/controller/issuers "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-selfsign"
I1002 15:58:19.175743 1 base_controller.go:193] cert-manager/controller/issuers "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-selfsign"
I1002 15:58:19.175978 1 base_controller.go:187] cert-manager/controller/certificates "level"=0 "msg"="syncing item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.176791 1 sync.go:329] cert-manager/controller/certificates/certificates "level"=0 "msg"="certificate scheduled for renewal" "duration_until_renewal"="41945h41m15.823245228s" "related_resource_kind"="Secret" "related_resource_name"="cert-manager-webhook-ca" "related_resource_namespace"="cert-manager"
I1002 15:58:19.177118 1 base_controller.go:193] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="cert-manager/cert-manager-webhook-ca"
I1002 15:58:19.807942 1 base_controller.go:193] cert-manager/controller/orders "level"=0 "msg"="finished processing work item" "key"="staging/api-certificate-3031097725"
这是我的配置。
入口
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: example-ingress
annotations:
kubernetes.io/ingress.class: nginx
spec:
tls:
- hosts:
- test.x.example.com
secretName: letsencrypt-staging-certificate-secret
rules:
- host: test.x.example.com
http:
paths:
- path: /
backend:
serviceName: example-frontend
servicePort: 80
发行人
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-staging-issuer
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: my-email@example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging-secret-key
# Enable the HTTP-01 challenge provider
solvers:
- http01: {}
证书
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: test-x-example-com
spec:
secretName: letsencrypt-staging-certificate-secret
issuerRef:
name: letsencrypt-staging-issuer
kind: Issuer
dnsNames:
- test.x.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- test.x.example.com
其他详细信息:机密位于 staging
命名空间中,与其他所有内容一样,但证书管理器位于 cert-manager
命名空间中。集群部署在GKE上。
编辑:我想知道我是否有可能在 Let's Encrypt 中达到生产环境的限制并被阻止。是否可以在某处验证?
我最终主要通过编辑证书配置解决了这个问题。我也从 Issuer 切换到 ClusterIssuer 但这应该不会对此问题产生任何影响。我认为问题出在 ACME 验证上。
这是我的新 ClusterIssuer:
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging-issuer
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: my-email@example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging-secret-key
# Enable the HTTP-01 challenge provider
http01: {}
更重要的是,新证书:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: test-x-example-com
spec:
secretName: letsencrypt-staging-certificate-secret
issuerRef:
name: letsencrypt-staging-issuer
kind: ClusterIssuer
dnsNames:
- test.x.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- test.x.example.com
我遇到了类似的问题,证书上的颁发者是 cert-manager.local
而不是 Let's Encrypt
。
TL;DR;
我的解决方案是将以下内容添加到我的 ingress-nginx-controller
配置中,其中 api.mydomain.com
是配置为指向 DigitalOcean 上的 K8S 负载均衡器的 DNS:
service.beta.kubernetes.io/do-loadbalancer-hostname: "api.mydomain.com"
更详细的解决方法:
原来我什至没有点击 lets encrypt api(通过证书管理器)。我找到了这个 link,并且可以验证甚至没有为我的域创建证书:
https://crt.sh/?q=example.com(只需将 example.com 更改为您的域)
有趣的是,我最初的自我检查没有问题,但在 2 天扯掉我的头发并尝试重新安装 cert-manager 的 4 次尝试后,出现了这个错误,我发现了这个 link:
安装ingress-controller后
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/do/deploy.yaml
我不得不用以下内容覆盖 ingress-nginx-controller
配置:
apiVersion: v1
kind: Service
metadata:
annotations:
#
service.beta.kubernetes.io/do-loadbalancer-hostname: "api.mydomain.com"
service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
labels:
helm.sh/chart: ingress-nginx-4.0.1
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
type: LoadBalancer
# externalTrafficPolicy: Local
externalTrafficPolicy: Cluster
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
appProtocol: http
- name: https
port: 443
protocol: TCP
targetPort: https
appProtocol: https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
部署此更新的 ingress-nginx-controller
配置后,创建了正确的证书,在 https://crt.sh 上可见,我可以通过 https 访问我的域,而不会在浏览器上出现错误。