为什么 Cert Manager(和 Letsencrypt)与 ISTIO 的集成无法完成 HTTP01 挑战

Why Cert Manager (and Lets encrypt) integrating with ISTIO fails to complete HTTP01 challenge

我正在尝试按照此处的文档将 ISTIO 与证书管理器集成: https://istio.io/latest/docs/ops/integrations/certmanager/

但我收到错误消息:

Waiting for HTTP-01 challenge propagation:
failed to perform self check GET request 'http://<domain>/.well-known/acme-challenge/rhLUqegNfgpWkwIlKDUTunTbD_DTwrH4oRvtHKkNJZs': 
Get "http://<domain>/.well-known/acme-challenge/rhLUqegNfgpWkwIlKDUTunTbD_DTwrH4oRvtHKkNJZs":
dial tcp <IP>:80: connect: connection refused

证书管理器版本:V1.1.0

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml

我还在 DNS 服务器上为我的域在 GKE 上创建了一个带有 ISTIO 入口 IP 地址的 A 记录。

这是我使用的配置:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
  namespace: istio-system
spec:
  acme:
    # Let's Encrypt uses this to contact you about expiring
    # certificates, and issues related to your account.
    email: <email>
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - http01:
        ingress:
          class: nginx

---

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: ingressgateway-certs
  namespace: istio-system
spec:
  secretName: ingressgateway-certs
  commonName: <domain>
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  dnsNames:
  - <domain>

---

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: ingress-gateway
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: ingressgateway-certs
    hosts:
    - <domain>

谢谢

已解决。 ClusterIssuer 中的 ingress class 字段需要更改为 istio