ClusterIssuer/Issuer 域 > 64 个字符失败。 CSR 不包含足够短的 SAN 以适应 CN

ClusterIssuer/Issuer failed for domain > 64 char. CSR doesn't contain a SAN short enough to fit in CN

我们正在使用 jetstack/cert-manager 在 k8s 环境中自动化证书管理。

使用 kubectl apply -f cert.yaml 应用证书效果很好:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-cert
spec:
  secretName: test-secret
  issuerRef:
    name: letsencrypt
    kind: Issuer

  dnsNames:
    - development.my-domain.com
    - production.my-domain.com

但是,安装 Helm 模板时失败:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: {{.Values.cert}}
spec:
  secretName: {{.Values.secret}}
  issuerRef:
    name: letsencrypt
    kind: Issuer
  dnsNames: [{{.Values.dnsNames}}]
E0129 09:57:51.911270       1 sync.go:264] cert-manager/controller/orders "msg"="failed to create Order resource due to bad request, marking Order as failed" "error"="400 urn:ietf:params:acme:error:rejectedIdentifier: NewOrder request did not include a SAN short enough to fit in CN" "resource_kind"="Order" "resource_name"="test-cert-45hgz-605454840" "resource_namespace"="default" "resource_version"="v1"

如果您没有发现任何问题,请尝试使用 kubectl -n default describe certificate test-cert 和 post 检查您的证书对象。

您的证书对象应如下所示:

Name:         test-cert
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2022-01-28T12:25:40Z
  Generation:          4
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:dnsNames:
        f:issuerRef:
          .:
          f:kind:
          f:name:
        f:secretName:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2022-01-28T12:25:40Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
        f:lastFailureTime:
        f:notAfter:
        f:notBefore:
        f:renewalTime:
        f:revision:
    Manager:         controller
    Operation:       Update
    Subresource:     status
    Time:            2022-01-29T09:57:51Z
  Resource Version:  344677
  Self Link:         /apis/cert-manager.io/v1/namespaces/istio-ingress/certificates/test-cert-2
  UID:               0015cc16-06c3-4e33-bb99-0f336cf7b788
Spec:
  Dns Names:
    development.my-domain.com
    production.my-domain.com
  Issuer Ref:
    Kind:       Issuer
    Name:       letsencrypt
  Secret Name:  test-secret

密切关注 Spec.DnsNames 值。有时由于配置错误,Heml 的模板引擎将其呈现为字符串而不是数组对象。

此外,检查 Helm 图表是一个很好的方法 helm template mychart 安装前。