ClusterIssuer/Issuer 域 > 64 个字符失败。 CSR 不包含足够短的 SAN 以适应 CN
ClusterIssuer/Issuer failed for domain > 64 char. CSR doesn't contain a SAN short enough to fit in CN
我们正在使用 jetstack/cert-manager 在 k8s 环境中自动化证书管理。
使用 kubectl apply -f cert.yaml 应用证书效果很好:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: test-cert
spec:
secretName: test-secret
issuerRef:
name: letsencrypt
kind: Issuer
dnsNames:
- development.my-domain.com
- production.my-domain.com
但是,安装 Helm 模板时失败:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{.Values.cert}}
spec:
secretName: {{.Values.secret}}
issuerRef:
name: letsencrypt
kind: Issuer
dnsNames: [{{.Values.dnsNames}}]
E0129 09:57:51.911270 1 sync.go:264] cert-manager/controller/orders "msg"="failed to create Order resource due to bad request, marking Order as failed" "error"="400 urn:ietf:params:acme:error:rejectedIdentifier: NewOrder request did not include a SAN short enough to fit in CN" "resource_kind"="Order" "resource_name"="test-cert-45hgz-605454840" "resource_namespace"="default" "resource_version"="v1"
如果您没有发现任何问题,请尝试使用 kubectl -n default describe certificate test-cert 和 post 检查您的证书对象。
您的证书对象应如下所示:
Name: test-cert
Namespace: default
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1
Kind: Certificate
Metadata:
Creation Timestamp: 2022-01-28T12:25:40Z
Generation: 4
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:dnsNames:
f:issuerRef:
.:
f:kind:
f:name:
f:secretName:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2022-01-28T12:25:40Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:conditions:
f:lastFailureTime:
f:notAfter:
f:notBefore:
f:renewalTime:
f:revision:
Manager: controller
Operation: Update
Subresource: status
Time: 2022-01-29T09:57:51Z
Resource Version: 344677
Self Link: /apis/cert-manager.io/v1/namespaces/istio-ingress/certificates/test-cert-2
UID: 0015cc16-06c3-4e33-bb99-0f336cf7b788
Spec:
Dns Names:
development.my-domain.com
production.my-domain.com
Issuer Ref:
Kind: Issuer
Name: letsencrypt
Secret Name: test-secret
密切关注 Spec.DnsNames 值。有时由于配置错误,Heml 的模板引擎将其呈现为字符串而不是数组对象。
此外,检查 Helm 图表是一个很好的方法
helm template mychart 安装前。
我们正在使用 jetstack/cert-manager 在 k8s 环境中自动化证书管理。
使用 kubectl apply -f cert.yaml 应用证书效果很好:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: test-cert
spec:
secretName: test-secret
issuerRef:
name: letsencrypt
kind: Issuer
dnsNames:
- development.my-domain.com
- production.my-domain.com
但是,安装 Helm 模板时失败:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{.Values.cert}}
spec:
secretName: {{.Values.secret}}
issuerRef:
name: letsencrypt
kind: Issuer
dnsNames: [{{.Values.dnsNames}}]
E0129 09:57:51.911270 1 sync.go:264] cert-manager/controller/orders "msg"="failed to create Order resource due to bad request, marking Order as failed" "error"="400 urn:ietf:params:acme:error:rejectedIdentifier: NewOrder request did not include a SAN short enough to fit in CN" "resource_kind"="Order" "resource_name"="test-cert-45hgz-605454840" "resource_namespace"="default" "resource_version"="v1"
如果您没有发现任何问题,请尝试使用 kubectl -n default describe certificate test-cert 和 post 检查您的证书对象。
您的证书对象应如下所示:
Name: test-cert
Namespace: default
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1
Kind: Certificate
Metadata:
Creation Timestamp: 2022-01-28T12:25:40Z
Generation: 4
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:dnsNames:
f:issuerRef:
.:
f:kind:
f:name:
f:secretName:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2022-01-28T12:25:40Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:conditions:
f:lastFailureTime:
f:notAfter:
f:notBefore:
f:renewalTime:
f:revision:
Manager: controller
Operation: Update
Subresource: status
Time: 2022-01-29T09:57:51Z
Resource Version: 344677
Self Link: /apis/cert-manager.io/v1/namespaces/istio-ingress/certificates/test-cert-2
UID: 0015cc16-06c3-4e33-bb99-0f336cf7b788
Spec:
Dns Names:
development.my-domain.com
production.my-domain.com
Issuer Ref:
Kind: Issuer
Name: letsencrypt
Secret Name: test-secret
密切关注 Spec.DnsNames 值。有时由于配置错误,Heml 的模板引擎将其呈现为字符串而不是数组对象。
此外,检查 Helm 图表是一个很好的方法
helm template mychart 安装前。