正在处理 gke 证书管理器证书
gke cert manager certificate in progress
我试图通过从 http 迁移到 https 来使我的 google 服务更安全。我一直在关注证书管理器文档以使其正常工作。
https://cert-manager.io/docs/configuration/acme/dns01/google/
我无法在集群上安装 helm 也无法安装 nginx 入口,这就是我使用 dns01 挑战而不是 http01 的原因。
我安装了带有常规清单 v0.11.0 的证书管理器。
创建 dns 管理服务帐户后,我使用此 yaml 创建发行者:
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: example-issuer
spec:
acme:
email: email@gmail.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource used to store the account's private key.
name: example-issuer-account-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- dns01:
clouddns:
project: my-project-id
# This is the secret used to access the service account
serviceAccountSecretRef:
name: clouddns-dns01-solver-svc-acct
key: key.json
和我的证书对象:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: example-com
namespace: default
spec:
secretName: example-com-tls
issuerRef:
# The issuer created previously
name: example-issuer
commonName: my-domain.com
dnsNames:
- my-domain.com
- www.my-domain.com
应用这些文件后,我得到了这样的结果:
$ kubectl describe issuer
Name: example-issuer
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"cert-manager.io/v1alpha2","kind":"Issuer","metadata":{"annotations":{},"name":"example-issuer","namespace":"default"},"spec...
API Version: cert-manager.io/v1alpha2
Kind: Issuer
Metadata:
Creation Timestamp: 2019-11-28T15:00:33Z
Generation: 1
Resource Version: 306180
Self Link: /apis/cert-manager.io/v1alpha2/namespaces/default/issuers/example-issuer
UID: d3d1f66e-11ef-11ea-856a-42010a8401a2
Spec:
Acme:
Email: email@gmail.com
Private Key Secret Ref:
Name: example-issuer-account-key
Server: https://acme-staging-v02.api.letsencrypt.org/directory
Solvers:
dns01:
Clouddns:
Project: my-project-id
Service Account Secret Ref:
Key: key.json
Name: clouddns-dns01-solver-svc-acct
Status:
Acme:
Last Registered Email: email@gmail.com
Uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/11671464
Conditions:
Last Transition Time: 2019-11-28T15:00:34Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
$ kubectl get certificates -o wide
NAME READY SECRET ISSUER STATUS AGE
example-com False example-com-tls example-issuer Waiting for CertificateRequest "example-com-1030278725" to complete 49m
$ kubectl get CertificateRequest -o wide
NAME READY ISSUER STATUS AGE
example-com-1030278725 False example-issuer Waiting on certificate issuance from order default/example-com-1030278725-1017944607: "pending" 50m
问题是您正在尝试为 Google 域 DNS 服务器管理的域完成 DNS01 质询。目前无法做到这一点。
Google 域 DNS 不是 Google 云 DNS。您不能使用证书管理器对 Google 个域进行自动 DNS01 质询。 API 无法在 Google 域中设置 TXT 记录。 Google Cloud DNS 的证书管理器支持 API。
我的建议:将您域的 DNS 服务器移至 Cloud DNS。
我试图通过从 http 迁移到 https 来使我的 google 服务更安全。我一直在关注证书管理器文档以使其正常工作。
https://cert-manager.io/docs/configuration/acme/dns01/google/
我无法在集群上安装 helm 也无法安装 nginx 入口,这就是我使用 dns01 挑战而不是 http01 的原因。
我安装了带有常规清单 v0.11.0 的证书管理器。
创建 dns 管理服务帐户后,我使用此 yaml 创建发行者:
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: example-issuer
spec:
acme:
email: email@gmail.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource used to store the account's private key.
name: example-issuer-account-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- dns01:
clouddns:
project: my-project-id
# This is the secret used to access the service account
serviceAccountSecretRef:
name: clouddns-dns01-solver-svc-acct
key: key.json
和我的证书对象:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: example-com
namespace: default
spec:
secretName: example-com-tls
issuerRef:
# The issuer created previously
name: example-issuer
commonName: my-domain.com
dnsNames:
- my-domain.com
- www.my-domain.com
应用这些文件后,我得到了这样的结果:
$ kubectl describe issuer
Name: example-issuer
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"cert-manager.io/v1alpha2","kind":"Issuer","metadata":{"annotations":{},"name":"example-issuer","namespace":"default"},"spec...
API Version: cert-manager.io/v1alpha2
Kind: Issuer
Metadata:
Creation Timestamp: 2019-11-28T15:00:33Z
Generation: 1
Resource Version: 306180
Self Link: /apis/cert-manager.io/v1alpha2/namespaces/default/issuers/example-issuer
UID: d3d1f66e-11ef-11ea-856a-42010a8401a2
Spec:
Acme:
Email: email@gmail.com
Private Key Secret Ref:
Name: example-issuer-account-key
Server: https://acme-staging-v02.api.letsencrypt.org/directory
Solvers:
dns01:
Clouddns:
Project: my-project-id
Service Account Secret Ref:
Key: key.json
Name: clouddns-dns01-solver-svc-acct
Status:
Acme:
Last Registered Email: email@gmail.com
Uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/11671464
Conditions:
Last Transition Time: 2019-11-28T15:00:34Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
$ kubectl get certificates -o wide
NAME READY SECRET ISSUER STATUS AGE
example-com False example-com-tls example-issuer Waiting for CertificateRequest "example-com-1030278725" to complete 49m
$ kubectl get CertificateRequest -o wide
NAME READY ISSUER STATUS AGE
example-com-1030278725 False example-issuer Waiting on certificate issuance from order default/example-com-1030278725-1017944607: "pending" 50m
问题是您正在尝试为 Google 域 DNS 服务器管理的域完成 DNS01 质询。目前无法做到这一点。
Google 域 DNS 不是 Google 云 DNS。您不能使用证书管理器对 Google 个域进行自动 DNS01 质询。 API 无法在 Google 域中设置 TXT 记录。 Google Cloud DNS 的证书管理器支持 API。
我的建议:将您域的 DNS 服务器移至 Cloud DNS。