Ish*_*are 8 docker kubernetes lets-encrypt certbot
我正在尝试使用certbot/certbotkubernetes中的docker容器生成SSL证书.我正在使用Job控制器,这看起来是最合适的选择.当我运行独立选项时,我收到以下错误:
授权程序失败.staging.ishankhare.com(http-01):urn:ietf:params:acme:error:connection ::服务器无法连接到客户端以验证域名::获取 http://staging.ishankhare.com/.众所周知/ acme-challenge/tpumqbcDWudT7EBsgC7IvtSzZvMAuooQ3PmSPh9yng8:连接超时(可能是防火墙问题)
我已经确保这不是由于运行简单的nginx容器而错误配置的DNS条目,并且它正确解析.以下是我的Jobs档案:
apiVersion: batch/v1
kind: Job
metadata:
#labels:
# app: certbot-generator
name: certbot
spec:
template:
metadata:
labels:
app: certbot-generate
spec:
volumes:
- name: certs
containers:
- name: certbot
image: certbot/certbot
command: ["certbot"]
#command: ["yes"]
args: ["certonly", "--noninteractive", "--agree-tos", "--staging", "--standalone", "-d", "staging.ishankhare.com", "-m", "me@ishankhare.com"]
volumeMounts:
- name: certs
mountPath: "/etc/letsencrypt/"
#- name: certs
#mountPath: "/opt/"
ports:
- containerPort: 80
- containerPort: 443
restartPolicy: "OnFailure"
和我的服务:
apiVersion: v1
kind: Service
metadata:
name: certbot-lb
labels:
app: certbot-lb
spec:
type: LoadBalancer
loadBalancerIP: 35.189.170.149
ports:
- port: 80
name: "http"
protocol: TCP
- port: 443
name: "tls"
protocol: TCP
selector:
app: certbot-generator
完整的错误消息是这样的:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for staging.ishankhare.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. staging.ishankhare.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://staging.ishankhare.com/.well-known/acme-challenge/tpumqbcDWudT7EBsgC7IvtSzZvMAuooQ3PmSPh9yng8: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: staging.ishankhare.com
Type: connection
Detail: Fetching
http://staging.ishankhare.com/.well-known/acme-challenge/tpumqbcDWudT7EBsgC7IvtSzZvMAuooQ3PmSPh9yng8:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
我也尝试过这个简单Pod但没有帮助.虽然我仍然觉得将它作为一个Job完成是运行的方式.
首先,请注意您的Job定义是有效的,但该spec.template.metadata.labels.app: certbot-generate值与您的定义不匹配:一个是,第二个是。因此,作业控制器运行的 Pod 永远不会作为端点添加到服务中。Servicespec.selector.app: certbot-generatorcertbot-generatecertbot-generator
调整其中之一,但它们必须匹配,这可能会起作用:)
虽然,我不确定使用Service带有选择器的控制器来定位短期 PodJob是否有效,也不确定使用Pod您测试的简单的选择器是否有效。由作业创建的pod certbot-randomId(或您创建的任何简单 pod)总共需要大约 15 秒才能运行/失败,并且在 pod 生命周期几秒后就会触发 HTTP 验证挑战:我不清楚这是否足够kubernetes 代理在服务和 Pod 之间开始工作的时间。
我们可以放心地假设它Service实际上正在工作,因为您提到您测试了 DNS 解析,因此您可以通过添加(或更多!)来轻松确保这不是计时问题,sleep 10以便为 Pod 作为端点添加更多时间在certbot 触发 HTTP 质询之前,服务并被适当代理。只需更改您的Job命令和参数即可:
command: ["/bin/sh"]
args: ["-c", "sleep 10 && certbot certonly --noninteractive --agree-tos --staging --standalone -d staging.ishankhare.com -m me@ishankhare.com"]
在这里,这也可能有效:)
话虽这么说,我强烈建议您使用cert-manager,您可以通过其稳定的 Helm 图表轻松安装它:Certificate它引入的自定义资源会将您的证书存储在 a 中Secret,这将使其可以直接从任何 K8s 资源中重用,它会自动进行更新,因此您可以忘记这一切。