为什么 Cert Manager(和 Letsencrypt)与 ISTIO 的集成无法完成 HTTP01 挑战
Why Cert Manager (and Lets encrypt) integrating with ISTIO fails to complete HTTP01 challenge
我正在尝试按照此处的文档将 ISTIO 与证书管理器集成:
https://istio.io/latest/docs/ops/integrations/certmanager/
但我收到错误消息:
Waiting for HTTP-01 challenge propagation:
failed to perform self check GET request 'http://<domain>/.well-known/acme-challenge/rhLUqegNfgpWkwIlKDUTunTbD_DTwrH4oRvtHKkNJZs':
Get "http://<domain>/.well-known/acme-challenge/rhLUqegNfgpWkwIlKDUTunTbD_DTwrH4oRvtHKkNJZs":
dial tcp <IP>:80: connect: connection refused
证书管理器版本:V1.1.0
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml
我还在 DNS 服务器上为我的域在 GKE 上创建了一个带有 ISTIO 入口 IP 地址的 A 记录。
这是我使用的配置:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: istio-system
spec:
acme:
# Let's Encrypt uses this to contact you about expiring
# certificates, and issues related to your account.
email: <email>
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ingressgateway-certs
namespace: istio-system
spec:
secretName: ingressgateway-certs
commonName: <domain>
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
dnsNames:
- <domain>
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ingress-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: ingressgateway-certs
hosts:
- <domain>
谢谢
已解决。 ClusterIssuer
中的 ingress class
字段需要更改为 istio
。
我正在尝试按照此处的文档将 ISTIO 与证书管理器集成: https://istio.io/latest/docs/ops/integrations/certmanager/
但我收到错误消息:
Waiting for HTTP-01 challenge propagation:
failed to perform self check GET request 'http://<domain>/.well-known/acme-challenge/rhLUqegNfgpWkwIlKDUTunTbD_DTwrH4oRvtHKkNJZs':
Get "http://<domain>/.well-known/acme-challenge/rhLUqegNfgpWkwIlKDUTunTbD_DTwrH4oRvtHKkNJZs":
dial tcp <IP>:80: connect: connection refused
证书管理器版本:V1.1.0
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml
我还在 DNS 服务器上为我的域在 GKE 上创建了一个带有 ISTIO 入口 IP 地址的 A 记录。
这是我使用的配置:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: istio-system
spec:
acme:
# Let's Encrypt uses this to contact you about expiring
# certificates, and issues related to your account.
email: <email>
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ingressgateway-certs
namespace: istio-system
spec:
secretName: ingressgateway-certs
commonName: <domain>
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
dnsNames:
- <domain>
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ingress-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: ingressgateway-certs
hosts:
- <domain>
谢谢
已解决。 ClusterIssuer
中的 ingress class
字段需要更改为 istio
。