如何测试 ClusterIssuer 求解器?
How do I test a ClusterIssuer solver?
我正在尝试在 DigitalOcean 上使用 LetsEncrypt 部署带有 SSL 证书的 Kubernetes 集群。我遵循 these instructions,一切正常,直到 ClusterIssuer 创建挑战订单。然后我得到这个错误:
cert-manager/controller/orders "msg"="Failed to determine the list of Challenge resources needed for the Order" "error"="no configured challenge solvers can be used for this challenge" "resource_kind"="Order" "resource_name"="letsencrypt-prod-cert-458163912-1173127706"
我已经用 http 尝试过,并试图配置 DigitalOcean 的 dns01 解析器,但都不起作用,并且出现类似的错误。该站点通过 ip 和 dns 名称运行(尽管我收到了无 ssl 证书警告)。这是 ClusterIssuer 描述:
Name: letsencrypt-issuer
Namespace:
Labels: app/instance=webapp
app/managed-by=Tiller
app/name=webapp
app/version=0.1.0
helm.sh/chart=webapp-0.1.0
Annotations: cert-manager.io/cluster-issuer: letsencrypt-issuer
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: true
API Version: cert-manager.io/v1alpha2
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2019-10-16T23:24:47Z
Generation: 2
Resource Version: 10300992
Self Link: /apis/cert-manager.io/v1alpha2/clusterissuers/letsencrypt-issuer
UID: 2ee08cd4-5781-4126-9e6d-6b9d108a1eb2
Spec:
Acme:
Email: <redacted>
Private Key Secret Ref:
Name: letsencrypt-prod-cert
Server: https://acme-v02.api.letsencrypt.org/directory
Status:
Acme:
Last Registered Email: <redacted>
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/69503670
Conditions:
Last Transition Time: 2019-10-16T23:24:48Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
有没有办法查看求解器本身以验证它们是否配置正确?有没有办法锻炼它们以证明它们有效?还有其他方法可以诊断情况吗?我完全被卡住了,因为网上似乎没有很多对此的支持?
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: certificate-name
spec:
secretName: tls-cert
duration: 24h
renewBefore: 12h
commonName: hostname
dnsNames:
- hostname
issuerRef:
name: letsencrypt
kind: ClusterIssuer
apiVersion: certmanager.k8s.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
email: myemail@email.com
privateKeySecretRef:
name: letsencrypt-private-key
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: nginx
selector: {}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
certmanager.k8s.io/acme-challenge-type: http01
certmanager.k8s.io/cluster-issuer: letsencrypt
name: ingress-rule
namespace: default
spec:
rules:
- host: hostname
http:
paths:
- backend:
serviceName: backend-service
servicePort: 8080
tls:
- hosts:
- hostname
secretName: tls-cert
上面引用的方法对我有用,tls-cert 是在预期的命名空间、密钥和证书中自动生成的。为此,您应该将 nginx 负载均衡器的 IP 指向 DNS
它对我有用,acme 挑战将得到自动测试,一旦完成,证书会将其状态从 false 更改为 true
我正在尝试在 DigitalOcean 上使用 LetsEncrypt 部署带有 SSL 证书的 Kubernetes 集群。我遵循 these instructions,一切正常,直到 ClusterIssuer 创建挑战订单。然后我得到这个错误:
cert-manager/controller/orders "msg"="Failed to determine the list of Challenge resources needed for the Order" "error"="no configured challenge solvers can be used for this challenge" "resource_kind"="Order" "resource_name"="letsencrypt-prod-cert-458163912-1173127706"
我已经用 http 尝试过,并试图配置 DigitalOcean 的 dns01 解析器,但都不起作用,并且出现类似的错误。该站点通过 ip 和 dns 名称运行(尽管我收到了无 ssl 证书警告)。这是 ClusterIssuer 描述:
Name: letsencrypt-issuer
Namespace:
Labels: app/instance=webapp
app/managed-by=Tiller
app/name=webapp
app/version=0.1.0
helm.sh/chart=webapp-0.1.0
Annotations: cert-manager.io/cluster-issuer: letsencrypt-issuer
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: true
API Version: cert-manager.io/v1alpha2
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2019-10-16T23:24:47Z
Generation: 2
Resource Version: 10300992
Self Link: /apis/cert-manager.io/v1alpha2/clusterissuers/letsencrypt-issuer
UID: 2ee08cd4-5781-4126-9e6d-6b9d108a1eb2
Spec:
Acme:
Email: <redacted>
Private Key Secret Ref:
Name: letsencrypt-prod-cert
Server: https://acme-v02.api.letsencrypt.org/directory
Status:
Acme:
Last Registered Email: <redacted>
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/69503670
Conditions:
Last Transition Time: 2019-10-16T23:24:48Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
有没有办法查看求解器本身以验证它们是否配置正确?有没有办法锻炼它们以证明它们有效?还有其他方法可以诊断情况吗?我完全被卡住了,因为网上似乎没有很多对此的支持?
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: certificate-name
spec:
secretName: tls-cert
duration: 24h
renewBefore: 12h
commonName: hostname
dnsNames:
- hostname
issuerRef:
name: letsencrypt
kind: ClusterIssuer
apiVersion: certmanager.k8s.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
email: myemail@email.com
privateKeySecretRef:
name: letsencrypt-private-key
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: nginx
selector: {}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
certmanager.k8s.io/acme-challenge-type: http01
certmanager.k8s.io/cluster-issuer: letsencrypt
name: ingress-rule
namespace: default
spec:
rules:
- host: hostname
http:
paths:
- backend:
serviceName: backend-service
servicePort: 8080
tls:
- hosts:
- hostname
secretName: tls-cert
上面引用的方法对我有用,tls-cert 是在预期的命名空间、密钥和证书中自动生成的。为此,您应该将 nginx 负载均衡器的 IP 指向 DNS
它对我有用,acme 挑战将得到自动测试,一旦完成,证书会将其状态从 false 更改为 true