use*_*440 1 google-kubernetes-engine lets-encrypt cert-manager
我在尝试使用 GKE 集群中的 cert-manager 创建证书时遇到问题。这一定是我正在做的事情,因为我尝试过版本 1.7.1、1.7.0 和 1.6.2,但都遇到了相同的错误。
\n我看到的错误是:
\nE0219 00:57:39.270717 1 sync.go:186] cert-manager/controller/challenges "msg"="propagation check failed" "error"="failed to perform self check GET request 'http://mysubdomain.mmydomain.com/.well-known/acme-challenge/secretKey': Get \\"https://mysubdomain.mmydomain.com:443/.well-known/acme-challenge/secretKey\\": remote error: tls: unrecognized name" "dnsName"="mysubdomain.mmydomain.com" "resource_kind"="Challenge" "resource_name"="elasticsearch-tls-cert-somenumbers" "resource_namespace"="elastic-stack" "resource_version"="v1" "type"="HTTP-01"\n这是我要安装的设置:
\n安装 CRD\nkubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.crds.yaml
Helm 安装证书管理器
\nhelm install \\\n cert-manager jetstack/cert-manager \\\n --namespace cert-manager \\\n --create-namespace \\\n --version v1.7.1\n确认安装良好:
\n\xe2\x9e\x9c ~ helm list -n cert-manager\nNAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION\ncert-manager cert-manager 1 2022-02-18 16:07:57.258172 -0800 PST deployed cert-manager-v1.6.2 v1.6.2\n\xe2\x9e\x9c ~\n应用 ClusterIssuer:
\napiVersion: cert-manager.io/v1\nkind: ClusterIssuer\nmetadata:\n name: letsencrypt\nspec:\n acme:\n email: "myemail@myemail.com"\n server: https://acme-v02.api.letsencrypt.org/directory\n privateKeySecretRef:\n name: letsencrypt\n solvers:\n - http01:\n ingress:\n class: nginx\n部署了我的入口:
\napiVersion: networking.k8s.io/v1beta1\nkind: Ingress\nmetadata:\n name: kibana-ingress\n namespace: elastic-stack\n annotations:\n cert-manager.io/cluster-issuer: letsencrypt\n kubernetes.io/ingress.class: nginx\n nginx.ingress.kubernetes.io/backend-protocol: "HTTP"\nspec:\n rules:\n - host: mysubdomain.mmydomain.com\n http:\n paths:\n - path: /\n backend:\n serviceName: kibana-kb-http\n servicePort: 5601\n tls:\n - hosts:\n - mysubdomain.mmydomain.com\n secretName: kibana-tls-cert\n然后,当我跟踪 cert-manager pod 时,我看到了错误remote error: tls: unrecognized name" "dnsName。
对证书挑战的描述也说了同样的事情:
\nStatus:\n Presented: true\n Processing: true\n Reason: Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://mysubdomain.mmydomain.com/.well-known/acme-challenge/secretKey': Get "https://mysubdomain.mmydomain.com:443/.well-known/acme-challenge/secretKey": remote error: tls: unrecognized name\n State: pending\nEvents:\n Type Reason Age From Message\n ---- ------ ---- ---- -------\n Normal Started 8m45s cert-manager Challenge scheduled for processing\n Normal Presented 8m45s cert-manager Presented challenge using HTTP-01 challenge mechanism\n这在另一个集群中工作得很好,所以我无法弄清楚我在这里做错了什么。
\n只是为了详细说明这一点。
对我来说,这个错误也与使用cert-manager不支持的nginx-stable图表而不是ingress-nginx图表有关。
所以代替这个:
helm repo add nginx-stable https://helm.nginx.com/stable
helm repo update
helm upgrade --install nginx-ingress nginx-stable/nginx-ingress \
--namespace nginx-ingress \
--create-namespace \
--timeout 600s \
--debug
--set controller.publishService.enabled=true
使用它来安装 ingress-nginx:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--create-namespace \
--timeout 600s \
--debug \
--set controller.publishService.enabled=true
然后安装证书管理器:
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm upgrade --install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--atomic \
--version v1.8.2 \
--set installCRDs=true
| 归档时间: |
|
| 查看次数: |
6259 次 |
| 最近记录: |