证书管理器让加密证书在 'spec.durartion' 中不使用正确的持续时间(使用默认值)
Cert-manager Lets Encrypt certificate not using correct duration in 'spec.durartion' (using default)
我已经在我的 k8 环境中安装了证书管理器。使用 cert-manager v1.6.1(撰写本文时最新)
我设置了一个使用 dns01 挑战的 ACME 发行者。
我创建了一个证书资源,将 spec.duration 指定为 7 小时。
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mydomain.com
namespace: my-app
spec:
secretName: app-certs
duration: 7h
renewBefore: 6h
issuerRef:
name: acme-issuer
kind: Issuer
commonName: mydomain.com
dnsNames:
- mydomain.com
我可以在 certifiatesigningrequest 资源上看到它解释了我在证书上设置的持续时间。
Spec:
Duration: 7h0m0s
证书签名请求似乎一切正常。没有错误或任何错误,我看到证书已成功生成。
Conditions:
Last Transition Time: 2021-12-14T20:10:15Z
Message: Certificate request has been approved by cert-manager.io
Reason: cert-manager.io
Status: True
Type: Approved
Last Transition Time: 2021-12-14T20:10:16Z
Message: Certificate fetched from issuer successfully
Reason: Issued
Status: True
Type: Ready
但证书实际上使用的是默认持续时间(请参阅续订时间)
Status:
Conditions:
Last Transition Time: 2021-12-14T20:10:16Z
Message: Certificate is up to date and has not expired
Observed Generation: 4
Reason: Ready
Status: True
Type: Ready
Not After: 2022-03-14T19:10:14Z
Not Before: 2021-12-14T19:10:15Z
Renewal Time: 2022-03-14T18:30:14Z
所以我做错了什么吗?我认为如果 acme 挑战失败,它不会颁发任何证书。如何正确设置持续时间?
显然 Let's Encrypt 只允许 90 天有效证书 (source)。
We’re sometimes asked why we only offer certificates with ninety-day lifetimes. People who ask this are usually concerned that ninety days is too short and wish we would offer certificates lasting a year or more, like some other CAs do.
在文章的后面
Once automated renewal tools are widely deployed and working well, we may consider even shorter lifetimes.
我最后做的是指定证书 renewBefore 到我希望它更新的时间。
其他选项:您还可以查看有效期比 Let's Encrypt 更短的 Step CA 证书。
我已经在我的 k8 环境中安装了证书管理器。使用 cert-manager v1.6.1(撰写本文时最新)
我设置了一个使用 dns01 挑战的 ACME 发行者。
我创建了一个证书资源,将 spec.duration 指定为 7 小时。
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mydomain.com
namespace: my-app
spec:
secretName: app-certs
duration: 7h
renewBefore: 6h
issuerRef:
name: acme-issuer
kind: Issuer
commonName: mydomain.com
dnsNames:
- mydomain.com
我可以在 certifiatesigningrequest 资源上看到它解释了我在证书上设置的持续时间。
Spec:
Duration: 7h0m0s
证书签名请求似乎一切正常。没有错误或任何错误,我看到证书已成功生成。
Conditions:
Last Transition Time: 2021-12-14T20:10:15Z
Message: Certificate request has been approved by cert-manager.io
Reason: cert-manager.io
Status: True
Type: Approved
Last Transition Time: 2021-12-14T20:10:16Z
Message: Certificate fetched from issuer successfully
Reason: Issued
Status: True
Type: Ready
但证书实际上使用的是默认持续时间(请参阅续订时间)
Status:
Conditions:
Last Transition Time: 2021-12-14T20:10:16Z
Message: Certificate is up to date and has not expired
Observed Generation: 4
Reason: Ready
Status: True
Type: Ready
Not After: 2022-03-14T19:10:14Z
Not Before: 2021-12-14T19:10:15Z
Renewal Time: 2022-03-14T18:30:14Z
所以我做错了什么吗?我认为如果 acme 挑战失败,它不会颁发任何证书。如何正确设置持续时间?
显然 Let's Encrypt 只允许 90 天有效证书 (source)。
We’re sometimes asked why we only offer certificates with ninety-day lifetimes. People who ask this are usually concerned that ninety days is too short and wish we would offer certificates lasting a year or more, like some other CAs do.
在文章的后面
Once automated renewal tools are widely deployed and working well, we may consider even shorter lifetimes.
我最后做的是指定证书 renewBefore 到我希望它更新的时间。
其他选项:您还可以查看有效期比 Let's Encrypt 更短的 Step CA 证书。