证书机密上没有 tls.crt
No tls.crt on certificate secret
我正在创建一个 ClusterIssuer 和一个证书。不过,有没有tls.crt上的秘密!我做错了什么?
clusterissuer 看起来 运行 很好,但密钥都没有 crt
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-myapp-clusterissuer
namespace: cert-manager
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: app@example.com
privateKeySecretRef:
name: wildcard-myapp-com
solvers:
- dns01:
cloudDNS:
serviceAccountSecretRef:
name: clouddns-service-account
key: dns-service-account.json
project: app
selector:
dnsNames:
- '*.myapp.com'
- myapp.com
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: myapp-com-tls
namespace: cert-manager
spec:
secretName: myapp-com-tls
issuerRef:
name: letsencrypt-myapp-issuer
kind: ClusterIssuer
commonName: '*.myapp.com'
dnsNames:
- 'myapp.com'
- '*.myapp.com'
根据所提供的信息,很难对此进行故障排除,您可能遇到了这个 bug。
您可以按照以下步骤开始解决此类问题:
- 获取证书申请名称:
kubectl -n <namespace> describe certificate myapp-com-tls
...
Created new CertificateRequest resource "myapp-com-tls-xxxxxxx"
- 请求会生成一个订单,通过命令获取订单名称:
kubectl -n <namespace> describe certificaterequests myapp-com-tls-xxxxxxx
…
Created Order resource <namespace>/myapp-com-tls-xxxxxxx-xxxxx
- 订单将生成挑战资源,获取方式为:
kubectl -n <namespace> describe order myapp-com-tls-xxxxxxx-xxxxx
…
Created Challenge resource "myapp-com-tls-xxxxxxx-xxxxx-xxxxx" for domain "yourdomain.com"
- 最后,通过挑战名称,您可以获得证书的验证状态:
kubectl -n <namespace> describe challenges myapp-com-tls-xxxxxxx-xxxxx-xxxxx
...
Reason: Successfully authorized domain
...
Normal Started 2m45s cert-manager Challenge scheduled for processing
Normal Presented 2m45s cert-manager Presented challenge using http-01 challenge mechanism
Normal DomainVerified 2m22s cert-manager Domain "yourdomain.com" verified with "http-01" validation
如果质询的状态不是 DomainVerified,那么从 let's encrypt 请求证书时出现问题,将在输出中看到原因。
我正在创建一个 ClusterIssuer 和一个证书。不过,有没有tls.crt上的秘密!我做错了什么?
clusterissuer 看起来 运行 很好,但密钥都没有 crt
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-myapp-clusterissuer
namespace: cert-manager
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: app@example.com
privateKeySecretRef:
name: wildcard-myapp-com
solvers:
- dns01:
cloudDNS:
serviceAccountSecretRef:
name: clouddns-service-account
key: dns-service-account.json
project: app
selector:
dnsNames:
- '*.myapp.com'
- myapp.com
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: myapp-com-tls
namespace: cert-manager
spec:
secretName: myapp-com-tls
issuerRef:
name: letsencrypt-myapp-issuer
kind: ClusterIssuer
commonName: '*.myapp.com'
dnsNames:
- 'myapp.com'
- '*.myapp.com'
根据所提供的信息,很难对此进行故障排除,您可能遇到了这个 bug。
您可以按照以下步骤开始解决此类问题:
- 获取证书申请名称:
kubectl -n <namespace> describe certificate myapp-com-tls
...
Created new CertificateRequest resource "myapp-com-tls-xxxxxxx"
- 请求会生成一个订单,通过命令获取订单名称:
kubectl -n <namespace> describe certificaterequests myapp-com-tls-xxxxxxx
…
Created Order resource <namespace>/myapp-com-tls-xxxxxxx-xxxxx
- 订单将生成挑战资源,获取方式为:
kubectl -n <namespace> describe order myapp-com-tls-xxxxxxx-xxxxx
…
Created Challenge resource "myapp-com-tls-xxxxxxx-xxxxx-xxxxx" for domain "yourdomain.com"
- 最后,通过挑战名称,您可以获得证书的验证状态:
kubectl -n <namespace> describe challenges myapp-com-tls-xxxxxxx-xxxxx-xxxxx
...
Reason: Successfully authorized domain
...
Normal Started 2m45s cert-manager Challenge scheduled for processing
Normal Presented 2m45s cert-manager Presented challenge using http-01 challenge mechanism
Normal DomainVerified 2m22s cert-manager Domain "yourdomain.com" verified with "http-01" validation
如果质询的状态不是 DomainVerified,那么从 let's encrypt 请求证书时出现问题,将在输出中看到原因。