升级到 AKS 1.20.7 后，证书管理器停止续订 Let'S Encrypt 证书

Question

我们的 AKS 集群配置为通过 Ingress Cert-Manager 注释自动续订 Let's Encrypt 证书，在我们升级到 AKS 1.20.7 之前，该功能一直运行良好。然后它停止工作，证书开始过期而没有更新 - 我仔细检查了 K8S 和 CertManager API 的所有更改并审查了所有 YAML，但我没有看到任何明显错误。将不胜感激任何指点。

\n

我的理解是，只要我将“cert-manager.io/cluster-issuer：letsencrypt-prod-p9v2”添加到我的入口中 - 整个更新应该自动发生 - 但这并没有发生。

\n

> kubectl cert-manager version\nutil.Version{GitVersion:"v1.4.0", GitCommit:"5e2a6883c1202739902ac94b5f4884152b810925", GitTreeState:"clean", GoVersion:"go1.16.2", Compiler:"gc", Platform:"linux/amd64"}\n\nAKS version: 1.20.7\n\ncat shipit-ingress-p9v2.yaml\n\napiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n  annotations:\n    certmanager.k8s.io/cluster-issuer: letsencrypt-prod-p9v2\n    kubernetes.io/ingress.class: nginx\n    nginx.ingress.kubernetes.io/proxy-body-size: 15m\n    nginx.ingress.kubernetes.io/rewrite-target: /\n    nginx.org/client-max-body-size: 15m\n  generation: 4\n  name: shipit-ingress-p9v2\n  namespace: supplier\n  resourceVersion: "147087245"\n  uid: 6751dbff-83b1-48a1-a467-e75cc843ee79\nspec:\n  rules:\n  - host: xxx.westeurope.cloudapp.azure.com\n    http:\n      paths:\n      - backend:\n          service:\n            name: planet9v2\n            port:\n              number: 8080\n        path: /\n        pathType: ImplementationSpecific\n  tls:\n  - hosts:\n    - xxx.westeurope.cloudapp.azure.com\n    secretName: tls-secret-p9v2\nstatus:\n  loadBalancer:\n    ingress:\n    - ip: 10.240.0.5\n\n>>kubectl get clusterissuer -o yaml letsencrypt-prod-p9v2\napiVersion: certmanager.k8s.io/v1alpha1\nkind: ClusterIssuer\nmetadata:\n  annotations:\n  creationTimestamp: "2020-05-29T13:31:10Z"\n  generation: 2\n  name: letsencrypt-prod-p9v2\n  resourceVersion: "25493731"\n  uid: 0e0e46f5-4cdf-42ea-a022-2dfe9ed56ad8\nspec:\n  acme:\n    email: xxx\n    http01: {}\n    privateKeySecretRef:\n      name: letsencrypt-prod\n    server: https://acme-v02.api.letsencrypt.org/directory\nstatus:\n  acme:\n    uri: https://acme-v02.api.letsencrypt.org/acme/acct/76984529\n  conditions:\n  - lastTransitionTime: "2020-05-29T13:31:11Z"\n    message: The ACME account was registered with the ACME server\n    reason: ACMEAccountRegistered\n    status: "True"\n    type: Ready\n\n\n>>kubectl cert-manager inspect secret tls-secret-p9v2\n...\nDebugging:\n        Trusted by this computer:       no: x509: certificate has expired or is not yet valid: current time 2021-08-24T07:03:32Z is after 2021-08-22T06:40:20Z\n        CRL Status:     No CRL endpoints set\n        OCSP Status:    Cannot check OCSP: error reading OCSP response: ocsp: error from server: unauthorized\n\n\n\n kubectl  describe secret tls-secret-p9v2\nName:         tls-secret-p9v2\nNamespace:    supplier\nLabels:       certmanager.k8s.io/certificate-name=tls-secret-p9v2\nAnnotations:  certmanager.k8s.io/alt-names: shipit-dev-p9v2.westeurope.cloudapp.azure.com\n              certmanager.k8s.io/common-name: shipit-dev-p9v2.westeurope.cloudapp.azure.com\n              certmanager.k8s.io/ip-sans:\n              certmanager.k8s.io/issuer-kind: ClusterIssuer\n              certmanager.k8s.io/issuer-name: letsencrypt-prod-p9v2\n\nType:  kubernetes.io/tls\n\nData\n====\ntls.key:  1679 bytes\nca.crt:   0 bytes\ntls.crt:  5672 bytes\n\n\nkubectl get order\nNAME                         STATE   AGE\ntls-secret-p9v2-4123722043   valid   24d\n\n[(\xe2\x8e\x88 |shipit-k8s-dev:supplier)]$ k describe order tls-secret-p9v2-4123722043\nName:         tls-secret-p9v2-4123722043\nNamespace:    supplier\nLabels:       acme.cert-manager.io/certificate-name=tls-secret-p9v2\nAnnotations:  <none>\nAPI Version:  certmanager.k8s.io/v1alpha1\nKind:         Order\nMetadata:\n  Creation Timestamp:  2021-07-31T04:12:42Z\n  Generation:          4\n  Managed Fields:\n    API Version:  certmanager.k8s.io/v1alpha1\n    Fields Type:  FieldsV1\n    fieldsV1:\n      f:metadata:\n        f:labels:\n          .:\n          f:acme.cert-manager.io/certificate-name:\n        f:ownerReferences:\n          .:\n          k:{"uid":"a1dec741-0fe7-42be-99d2-176c3d4cdf38"}:\n            .:\n            f:apiVersion:\n            f:blockOwnerDeletion:\n            f:controller:\n            f:kind:\n            f:name:\n            f:uid:\n      f:spec:\n        .:\n        f:config:\n        f:csr:\n        f:dnsNames:\n        f:issuerRef:\n          .:\n          f:kind:\n          f:name:\n      f:status:\n        .:\n        f:certificate:\n        f:challenges:\n        f:finalizeURL:\n        f:state:\n        f:url:\n    Manager:    jetstack-cert-manager\n    Operation:  Update\n    Time:       2021-07-31T04:13:09Z\n  Owner References:\n    API Version:           certmanager.k8s.io/v1alpha1\n    Block Owner Deletion:  true\n    Controller:            true\n    Kind:                  Certificate\n    Name:                  tls-secret-p9v2\n    UID:                   a1dec741-0fe7-42be-99d2-176c3d4cdf38\n  Resource Version:        143545958\n  UID:                     a646985b-6d44-4c99-bb39-ceb6c4919047\nSpec:\n  Config:\n    Domains:\n      shipit-dev-p9v2.westeurope.cloudapp.azure.com\n    http01:\n      Ingress Class:  nginx\n  Csr:                MIIC3zCCAccCAQAwTzEVMBMGA1UEChMMY2VydC1tYW5hZ2VyMTYwNAYDVQQDEy1zaGlwaXQtZGV2LXA5djIud2VzdGV1cm9wZS5jbG91ZGFwcC5henVyZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdqF08foRx7qVCU4YpVLHxodqMJp1h10l0s89MUVK7C2IWwHdQ5w2BjUB12gT6T6NK9ZhJEzzYtLk18wFAojKUOFjuwF5Kklh+Qe6rFiZNNJ2+uDN/WhCLylbsXjHzQ+N3XMZ0jhGv+72XQyeK/X8jurMmVk5dSZbYP0ysk7w7gSFjjpeN2EIpYcnp2rCjTU+ksfeJ04DDm84hN9snMpGKspIhTFBphCQQgScPO9Fx+S5NVG/ScoM0CLSYiQVB0oPYUaw84O/lNC7kq/UWERli2pNy9Gnxdw2g37nFTj2uvPGGbPE1WBTFtdzkFWMepaw1l25X1//Nsap3zuZY0C3jAgMBAAGgSzBJBgkqhkiG9w0BCQ4xPDA6MDgGA1UdEQQxMC+CLXNoaXBpdC1kZXYtcDl2Mi53ZXN0ZXVyb3BlLmNsb3VkYXBwLmF6dXJlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAWEqfGuYcgf2ujby+K9MK+9q/r0cajo4q0JM6ZkBQQGb88b/nwxa7sr4n7hnlpKhXdLPp5QoeBMr3UM7Nwc7PrYxOws9v51mq3ekUOARgO4/4eJw4agFf8KKQLjtkFr2Q3OFJp6GuYKDCo2+Z1jqs76v7ReKlBoVhMtxOkjykQJheFQzg7ezGshE5trXh3NL/FaaThp1vP+qp8nDnq1YXkvOyaoc7u4X2sl831FTPcv3tsQJJzrOPlZPUJcgCC9cZiCTwqdttaJFRobTEGSk+pzc54C6eRQv9muto8D29Eg2G9f9xDSJULT6WbZWL6gzbJ/5pu3ep+V+cB43f5H+Sqg==\n  Dns Names:\n    shipit-dev-p9v2.westeurope.cloudapp.azure.com\n  Issuer Ref:\n    Kind:  ClusterIssuer\n    Name:  letsencrypt-prod-p9v2\nStatus:\n  Certificate:  LS0tLS1CRUdJTiBDRVJUSUZJ.....\n  Challenges:\n    Authz URL:  https://acme-v02.api.letsencrypt.org/acme/authz-v3/17660284180\n    Config:\n      http01:\n        Ingress Class:  nginx\n    Dns Name:           shipit-dev-p9v2.westeurope.cloudapp.azure.com\n    Issuer Ref:\n      Kind:      ClusterIssuer\n      Name:      letsencrypt-prod-p9v2\n    Key:         AxP1pv5I087QVyKXIkGyT5pqlD4Aa-UYmJHAOgzHPu4.mIcOL5pBlkZJSpSUslpjJTC_hFunxNRCEA82VcfFAHE\n    Token:       AxP1pv5I087QVyKXIkGyT5pqlD4Aa-UYmJHAOgzHPu4\n    Type:        http-01\n    URL:         https://acme-v02.api.letsencrypt.org/acme/chall-v3/17660284180/Sh057Q\n    Wildcard:    false\n  Finalize URL:  https://acme-v02.api.letsencrypt.org/acme/finalize/75003870/13444902230\n  State:         valid\n  URL:           https://acme-v02.api.letsencrypt.org/acme/order/75003870/13444902230\nEvents:          <none>\n

\n

Answer 1

我遇到了同样的问题，更新证书管理器的版本解决了该问题。

我没有使用 AKS，但使用的是 GKE，并且升级到了 1.5 cert-manager 版本。

目前支持的版本有：1.5 和 1.6

发布

请参阅本文档

根据我的理解，Cert-manger 停止支持旧版本，仅支持最新的2 个版本。

我升级到1.5，问题得到解决。