等待 HTTP-01 质询传播：未能执行自检 GET 请求

Question

我正在尝试按照本教程（https://github.com/digitalocean/Kubernetes-Starter-Kit-Developers/blob/main/03-setup-ingress ）进行加密来保护我的 nginx-ingress 连接-controller/nginx.md）。

\n

我使用 helm 安装了 cert-manager (v1.8.0)。

\n

应用了我的 ClusterIssuerkubectl apply -f issuer.yaml

\n

apiVersion: cert-manager.io/v1\nkind: ClusterIssuer\nmetadata:\n  name: letsencrypt-nginx\nspec:\n  # ACME issuer configuration\n  # `email` - the email address to be associated with the ACME account (make sure it\'s a valid one)\n  # `server` - the URL used to access the ACME server\xe2\x80\x99s directory endpoint\n  # `privateKeySecretRef` - Kubernetes Secret to store the automatically generated ACME account private key\n  acme:\n    email: \'myemail\'\n    server: https://acme-staging-v02.api.letsencrypt.org/directory\n    privateKeySecretRef:\n      name: letsencrypt-nginx-private-key\n    solvers:\n      # Use the HTTP-01 challenge provider\n      - http01:\n          ingress:\n            class: nginx\n

\n

然后应用我的入口kubectl apply -f ingress.yaml

\n

apiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n  name: ingress-echo\n  annotations:\n    cert-manager.io/cluster-issuer: letsencrypt-nginx\nspec:\n  tls:\n  - hosts:\n    - www.exmple.com\n    secretName: letsencrypt-nginx-echo\n  rules:\n    - host: www.example.com\n      http:\n        paths:\n          - path: /\n            pathType: Prefix\n            backend:\n              service:\n                name: backend\n                port:\n                  number: 80\n  ingressClassName: nginx\n

\n

为了调试我跑了

\n

$ kubectl get certificate\nNAME                     READY   SECRET                   AGE\nletsencrypt-nginx-echo   False   letsencrypt-nginx-echo   39s\n\n\n$ kubectl describe certificate\n[...]\nStatus:\n  Conditions:\n    Last Transition Time:        2022-05-12T17:24:32Z\n    Message:                     Issuing certificate as Secret does not exist\n    Observed Generation:         1\n    Reason:                      DoesNotExist\n    Status:                      True\n    Type:                        Issuing\n    Last Transition Time:        2022-05-12T17:24:32Z\n    Message:                     Issuing certificate as Secret does not exist\n    Observed Generation:         1\n    Reason:                      DoesNotExist\n    Status:                      False\n    Type:                        Ready\n  Next Private Key Secret Name:  letsencrypt-nginx-echo-nxzw6\nEvents:\n  Type    Reason     Age    From                                       Message\n  ----    ------     ----   ----                                       -------\n  Normal  Issuing    3m23s  cert-manager-certificates-trigger          Issuing certificate as Secret does not exist\n  Normal  Generated  3m23s  cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "letsencrypt-nginx-echo-nxzw6"\n  Normal  Requested  3m23s  cert-manager-certificates-request-manager  Created new CertificateRequest resource "letsencrypt-nginx-echo-x2flf"\n\n\n$ kubectl describe certificaterequest\nStatus:\n  Conditions:\n    Last Transition Time:  2022-05-12T17:24:32Z\n    Message:               Certificate request has been approved by cert-manager.io\n    Reason:                cert-manager.io\n    Status:                True\n    Type:                  Approved\n    Last Transition Time:  2022-05-12T17:24:33Z\n    Message:               Waiting on certificate issuance from order default/letsencrypt-nginx-echo-x2flf-1264636722: "pending"\n    Reason:                Pending\n    Status:                False\n    Type:                  Ready\nEvents:\n  Type    Reason           Age   From                                          Message\n  ----    ------           ----  ----                                          -------\n  Normal  cert-manager.io  5m2s  cert-manager-certificaterequests-approver     Certificate request has been approved by cert-manager.io\n  Normal  OrderCreated     5m1s  cert-manager-certificaterequests-issuer-acme  Created Order resource default/letsencrypt-nginx-echo-x2flf-1264636722\n\n$ kubectl describe order\nStatus:\n  Authorizations:\n    Challenges:\n      Token:        bArXItH3_w1FLvjPfFprj2ksjFHPwZ0K6Vb25MlybRU\n      Type:         http-01\n      URL:          https://acme-v02.api.letsencrypt.org/acme/chall-v3/107853386656/VmvKxA\n      Token:        bArXItH3_w1FLvjPfFprj2ksjFHPwZ0K6Vb25MlybRU\n      Type:         dns-01\n      URL:          https://acme-v02.api.letsencrypt.org/acme/chall-v3/107853386656/LgcZ5Q\n      Token:        bArXItH3_w1FLvjPfFprj2ksjFHPwZ0K6Vb25MlybRU\n      Type:         tls-alpn-01\n      URL:          https://acme-v02.api.letsencrypt.org/acme/chall-v3/107853386656/Ut9rIQ\n    Identifier:     www.example.com\n    Initial State:  pending\n    URL:            https://acme-v02.api.letsencrypt.org/acme/authz-v3/107853386656\n    Wildcard:       false\n  Finalize URL:     https://acme-v02.api.letsencrypt.org/acme/finalize/540497076/88058915876\n  State:            pending\n  URL:              https://acme-v02.api.letsencrypt.org/acme/order/540497076/88058915876\nEvents:\n  Type    Reason   Age    From                 Message\n  ----    ------   ----   ----                 -------\n  Normal  Created  6m16s  cert-manager-orders  Created Challenge resource "letsencrypt-nginx-echo-x2flf-1264636722-1300283520" for domain "www.example.com"\n\n$ kubectl describe challenge\nSpec:\n  Authorization URL:  https://acme-v02.api.letsencrypt.org/acme/authz-v3/107853386656\n  Dns Name:           www.example.com\n  Issuer Ref:\n    Group:  cert-manager.io\n    Kind:   ClusterIssuer\n    Name:   letsencrypt-nginx\n  Key:      bArXItH3_w1FLvjPfFprj2ksjFHPwZ0K6Vb25MlybRU.NSQqkslrJ8YD-aL7n_dLekPhCAy4DkdFIOF0DCAHGzo\n  Solver:\n    http01:\n      Ingress:\n        Class:  nginx\n  Token:        bArXItH3_w1FLvjPfFprj2ksjFHPwZ0K6Vb25MlybRU\n  Type:         HTTP-01\n  URL:          https://acme-v02.api.letsencrypt.org/acme/chall-v3/107853386656/VmvKxA\n  Wildcard:     false\nStatus:\n  Presented:   true\n  Processing:  true\n  Reason:      Waiting for HTTP-01 challenge propagation: failed to perform self check GET request \'http://www.example.com/.well-known/acme-challenge/bArXItH3_w1FLvjPfFprj2ksjFHPwZ0K6Vb25MlybRU\': Get "https://www.example.com:443/.well-known/acme-challenge/bArXItH3_w1FLvjPfFprj2ksjFHPwZ0K6Vb25MlybRU": remote error: tls: unrecognized name\n  State:       pending\nEvents:\n  Type    Reason     Age    From                     Message\n  ----    ------     ----   ----                     -------\n  Normal  Started    8m45s  cert-manager-challenges  Challenge scheduled for processing\n  Normal  Presented  8m45s  cert-manager-challenges  Presented challenge using HTTP-01 challenge mechanism\n

\n

如果我描述我得到的入口

\n

TLS:\n  letsencrypt-nginx-echo terminates www.example.com\nRules:\n  Host               Path  Backends\n  ----               ----  --------\n  www.example.com\n                     /   backend:80 (\'//myip\')\nAnnotations:         cert-manager.io/cluster-issuer: letsencrypt-nginx\nEvents:\n  Type     Reason                     Age   From                       Message\n  ----     ------                     ----  ----                       -------\n  Warning  AddedOrUpdatedWithWarning  12m   nginx-ingress-controller   Configuration for default/ingress-echo was added or updated ; with warning(s): TLS secret letsencrypt-nginx-echo is invalid: secret doesn\'t exist or of an unsupported type\n  Normal   CreateCertificate          12m   cert-manager-ingress-shim  Successfully created Certificate "letsencrypt-nginx-echo"\n

\n

Answer 1

我终于设法解决了这个问题。证书管理器正在创建一个acme-http-solver不指向任何地址的入口。添加 acme.cert-manager.io/http01-edit-in-place: "true"到我的入口文件后，一切似乎都正常。

仅更新资源可能还不够，但实际上要删除并重新创建它。请参阅问题 6065