无法在 GKE 中使用 Cert-Manager 和 NGINX 入口控制器分配证书
Unable to assign certificate using Cert-Manager and NGINX ingress controller in GKE
我正在使用 Nginx Ingress 控制器(内部入口)和 Cert-manger 0.15.1 helm 图表。 Kubernetes 版本:1.14.x
我的证书状态未变为 True。我尝试过使用两种类型的挑战者 DNS01 和 HTTP01。一样的。
错误:
Attaching screen shots[![Kubernetes Ingress Controller Fake Certificate][1]][1]
集群-issuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: <email>
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
Ingress.yaml
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-devtools-ilb-https
namespace: <>
annotations:
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- domain.con
secretName: create-new-secret
rules:
- host: domain.com
http:
paths:
- path: "/"
backend:
serviceName: hello-service
servicePort: hello-port
- path: "/kube"
backend:
serviceName: hello-kubernetes
servicePort: 80
kubectl describe certificate create-new-secret
Name: create-new-secret
Namespace:
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1alpha2
Kind: Certificate
Metadata:
Creation Timestamp: 2020-07-19T13:30:01Z
Generation: 1
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: <ingress-name>
UID: f0b74bb6-c903-11ea-9960-4201ac100008
Resource Version: 521536
Self Link: /apis/cert-manager.io/v1alpha2/namespaces/<namesapce>/certificates/create-new-secret
UID: f2b63e87-c9c3-11ea-bb3e-4201ac100004
Spec:
Dns Names:
domain.com
Issuer Ref:
Group: cert-manager.io
Kind: Issuer
Name: letsencrypt-staging
Secret Name: create-new-secret
Status:
Conditions:
Last Transition Time: 2020-07-19T13:30:02Z
Message: Waiting for CertificateRequest "create-new-secret-2447513806" to complete
Reason: InProgress
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal GeneratedKey 3m8s cert-manager Generated a new private key
Normal Requested 3m8s cert-manager Created new CertificateRequest resource "create-new-secret-2447513806"
请帮我解决这个问题
发生这种情况是因为您正在使用来自 Let's Encrypt 的 staging 服务器。
staging服务器仅用于测试,您认为可以后可以移至production服务器。
您需要使用 this 个示例创建一个新的颁发者
将入口注释更改为:
cert-manager.io/issuer: "letsencrypt-production"
参考文献:
我可以在 DNS01 的帮助下解决这个问题
Letsencrypt-prod 证书颁发者 ILB
---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: cert-issuer
namespace: <>
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email:
privateKeySecretRef:
name: dns-prod-issuer
solvers:
- selector: {}
dns01:
clouddns:
project: GCP_project_ID
serviceAccountSecretRef:
name: clouddns-dns01-solver-svc-acct
key: key.json
Letsencrypt-prod 证书
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: cert
namespace: <>
spec:
secretName: cert-secret
issuerRef:
name: cert-issuer
kind: Issuer
dnsNames:
- host.domain.com
- www.host.domain.com
入口
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-https
namespace: <>
annotations:
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
rules:
- host: host.domain.com
http:
paths:
- path: "'"
backend:
serviceName:
servicePort:
tls:
- hosts:
- host.domain.com
secretName: cert-secret
我正在使用 Nginx Ingress 控制器(内部入口)和 Cert-manger 0.15.1 helm 图表。 Kubernetes 版本:1.14.x
我的证书状态未变为 True。我尝试过使用两种类型的挑战者 DNS01 和 HTTP01。一样的。 错误:
Attaching screen shots[![Kubernetes Ingress Controller Fake Certificate][1]][1]
集群-issuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: <email>
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
Ingress.yaml
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-devtools-ilb-https
namespace: <>
annotations:
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- domain.con
secretName: create-new-secret
rules:
- host: domain.com
http:
paths:
- path: "/"
backend:
serviceName: hello-service
servicePort: hello-port
- path: "/kube"
backend:
serviceName: hello-kubernetes
servicePort: 80
kubectl describe certificate create-new-secret
Name: create-new-secret
Namespace:
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1alpha2
Kind: Certificate
Metadata:
Creation Timestamp: 2020-07-19T13:30:01Z
Generation: 1
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: <ingress-name>
UID: f0b74bb6-c903-11ea-9960-4201ac100008
Resource Version: 521536
Self Link: /apis/cert-manager.io/v1alpha2/namespaces/<namesapce>/certificates/create-new-secret
UID: f2b63e87-c9c3-11ea-bb3e-4201ac100004
Spec:
Dns Names:
domain.com
Issuer Ref:
Group: cert-manager.io
Kind: Issuer
Name: letsencrypt-staging
Secret Name: create-new-secret
Status:
Conditions:
Last Transition Time: 2020-07-19T13:30:02Z
Message: Waiting for CertificateRequest "create-new-secret-2447513806" to complete
Reason: InProgress
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal GeneratedKey 3m8s cert-manager Generated a new private key
Normal Requested 3m8s cert-manager Created new CertificateRequest resource "create-new-secret-2447513806"
请帮我解决这个问题
发生这种情况是因为您正在使用来自 Let's Encrypt 的 staging 服务器。
staging服务器仅用于测试,您认为可以后可以移至production服务器。
您需要使用 this 个示例创建一个新的颁发者
将入口注释更改为:
cert-manager.io/issuer: "letsencrypt-production"
参考文献:
我可以在 DNS01 的帮助下解决这个问题
Letsencrypt-prod 证书颁发者 ILB
---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: cert-issuer
namespace: <>
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email:
privateKeySecretRef:
name: dns-prod-issuer
solvers:
- selector: {}
dns01:
clouddns:
project: GCP_project_ID
serviceAccountSecretRef:
name: clouddns-dns01-solver-svc-acct
key: key.json
Letsencrypt-prod 证书
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: cert
namespace: <>
spec:
secretName: cert-secret
issuerRef:
name: cert-issuer
kind: Issuer
dnsNames:
- host.domain.com
- www.host.domain.com
入口
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-https
namespace: <>
annotations:
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
rules:
- host: host.domain.com
http:
paths:
- path: "'"
backend:
serviceName:
servicePort:
tls:
- hosts:
- host.domain.com
secretName: cert-secret