个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
37
4
Waiting for http-01 challenge propagation: failed to perform self check GET request ,它类似于这个错误 https://github.com/jetstack/cert-manager/issues/656
但是来自 GitHub 票务评论的所有解决方案都没有帮助。
我正在尝试按照本教程中的描述在 DigitalOcean 上设置 CertManager:https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes
我没有收到任何错误,但是来自 CertManager 的请求在挂起状态下等待了 40 多个小时。
我已经使用 Nginx 成功配置了 Ingress,然后我创建了一个命名空间并创建了 CertManager CRD:
$ kubectl create namespace cert-manager
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager.yaml
CertManager pod:
$ kubectl get pods --namespace cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-5c47f46f57-gxhwv 1/1 Running 0 42h
cert-manager-cainjector-6659d6844d-xp75s 1/1 Running 0 42h
cert-manager-webhook-547567b88f-k4dv2 1/1 Running 0 42h
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: some@email.here
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: echo-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
# cert-manager.io/cluster-issuer: "letsencrypt-prod"
cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- echo.some.domain
secretName: ingress-tls
rules:
- host: echo.some.domain
http:
paths:
- backend:
serviceName: echo1
servicePort: 80
CertManager 并没有更新证书并在
InProgress 状态等待:
$ date
Wed 18 Dec 2019 01:58:08 PM MSK
$ kubectl describe cert
...
Status:
Conditions:
Last Transition Time: 2019-12-16T17:23:56Z
Message: Waiting for CertificateRequest "ingress-tls-1089568541" to complete
Reason: InProgress
Status: False
Type: Ready
Events: <none>
Fake LE Intermediate X1 作为
CN,而是返回
CN=Kubernetes Ingress Controller Fake Certificate,O=Acme Co
$ kubectl describe CertificateRequest
Status:
Conditions:
Last Transition Time: 2019-12-16T17:50:05Z
Message: Waiting on certificate issuance from order default/ingress-tls-1089568541-1576201144: "pending"
Reason: Pending
Status: False
Type: Ready
Events: <none>
CertManager 可能存在什么问题以及如何解决?
$ kubectl -n ingress-nginx logs nginx-ingress-controller-7754db565c-g557h
I1218 17:24:30.331127 6 status.go:295] updating Ingress default/cm-acme-http-solver-4dkdn status from [] to [{xxx.xxx.xxx.xxx }]
I1218 17:24:30.333250 6 status.go:295] updating Ingress default/cm-acme-http-solver-9dpqc status from [] to [{xxx.xxx.xxx.xxx }]
I1218 17:24:30.341292 6 event.go:209] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cm-acme-http-solver-4dkdn", UID:"2e523b74-8bbb-41c7-be8a-44d8db8abd6e", APIVersion:"extensions/v1beta1", ResourceVersion:"722472", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress default/cm-acme-http-solver-4dkdn
I1218 17:24:30.344340 6 event.go:209] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cm-acme-http-solver-9dpqc", UID:"b574a3b6-6c5b-4266-a4e2-6ff2de2d78e0", APIVersion:"extensions/v1beta1", ResourceVersion:"722473", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress default/cm-acme-http-solver-9dpqc
W1218 17:24:30.442276 6 controller.go:1042] Error getting SSL certificate "default/ingress-tls": local SSL certificate default/ingress-tls was not found. Using default certificate
W1218 17:24:30.442950 6 controller.go:1042] Error getting SSL certificate "default/ingress-tls": local SSL certificate default/ingress-tls was not found. Using default certificate
W1218 17:24:33.775476 6 controller.go:1042] Error getting SSL certificate "default/ingress-tls": local SSL certificate default/ingress-tls was not found. Using default certificate
W1218 17:24:33.775956 6 controller.go:1042] Error getting SSL certificate "default/ingress-tls": local SSL certificate default/ingress-tls was not found. Using default certificate
ingress-tls 的 secret 按预期可用:
$ kubectl get secret ingress-tls -o yaml
apiVersion: v1
data:
ca.crt: ""
tls.crt: ""
tls.key: <secret-key-data-base64-encoded>
kind: Secret
metadata:
annotations:
cert-manager.io/certificate-name: ingress-tls
cert-manager.io/issuer-kind: ClusterIssuer
cert-manager.io/issuer-name: letsencrypt-staging
creationTimestamp: "2019-12-16T17:23:56Z"
name: ingress-tls
namespace: default
resourceVersion: "328801"
selfLink: /api/v1/namespaces/default/secrets/ingress-tls
uid: 5d640b66-1572-44a1-94e4-6d85a73bf21c
type: kubernetes.io/tls
cert-manager pod 失败并显示日志:
E1219 11:06:08.294011 1 sync.go:184] cert-manager/controller/challenges "msg"="propagation check failed" "error"="failed to perform self check GET request 'http://<some.domain>/.well-known/acme-challenge/<some-path>': Get http://<some.domain>/.well-known/acme-challenge/<some-path>: dial tcp xxx.xxx.xxx.xxx:80: connect: connection timed out" "dnsName"="<some.domain>" "resource_kind"="Challenge" "resource_name"="ingress-tls-1089568541-1576201144-1086699008" "resource_namespace"="default" "type"="http-01"
$ kubectl describe challenge ingress-tls-1089568541-1576201144-471532423
Name: ingress-tls-1089568541-1576201144-471532423
Namespace: default
Labels: <none>
Annotations: <none>
API Version: acme.cert-manager.io/v1alpha2
Kind: Challenge
Metadata:
Creation Timestamp: 2019-12-19T11:32:19Z
Finalizers:
finalizer.acme.cert-manager.io
Generation: 1
Owner References:
API Version: acme.cert-manager.io/v1alpha2
Block Owner Deletion: true
Controller: true
Kind: Order
Name: ingress-tls-1089568541-1576201144
UID: 7d19d86f-0b56-4756-aa20-bb85caf80b9e
Resource Version: 872062
Self Link: /apis/acme.cert-manager.io/v1alpha2/namespaces/default/challenges/ingress-tls-1089568541-1576201144-471532423
UID: 503a8b4e-dc60-4080-91d9-2847815af1cc
Spec:
Authz URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/123456
Dns Name: <domain>
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt-staging
Key: <key>
Solver:
http01:
Ingress:
Class: nginx
Token: <token>
Type: http-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12345/abc
Wildcard: false
Status:
Presented: true
Processing: true
Reason: Waiting for http-01 challenge propagation: failed to perform self check GET request 'http://<domain>/.well-known/acme-challenge/<token>': Get http://<domain>/.well-known/acme-challenge/<token>: dial tcp xxx.xxx.xxx.xxx:80: connect: connection timed out
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 4m28s cert-manager Challenge scheduled for processing
Normal Presented 4m28s cert-manager Presented challenge using http-01 challenge mechanism
kubectl run -it ... 和
wget http://<domain>/.well-known/acme-challenge/<token>。
最佳答案
这可能值得一看。我遇到了类似的问题 Connection Timeout
更改 LoadBalancer在 ingress-nginx服务。
添加/更改 externalTrafficPolicy: Cluster .
原因是,带有证书颁发者的 pod 在与负载均衡器不同的节点上结束,因此它无法通过入口与自己对话。
以下是取自 https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.26.1/deploy/static/provider/cloud-generic.yaml 的完整块
kind: Service
apiVersion: v1
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
#CHANGE/ADD THIS
externalTrafficPolicy: Cluster
type: LoadBalancer
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
ports:
- name: http
port: 80
targetPort: http
- name: https
port: 443
targetPort: https
---
关于kubernetes - CertManager Letsencrypt CertificateRequest "failed to perform self check GET request",我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59390660/
37
4
0
我有一个以以下方式运行的简单docker容器: docker service create --name nginx_proxy \ --mount type=bind,source=/opt/n
所以我有一个在端口 443 上运行的 Apache 服务器和在最新版本的 Ubuntu 上安装的 NodeJS。现在我的一切都运行得很好,除了我运行 NodeJS 服务器的端口 100 上没有 SSL
所以我删除了证书,认为我需要这样做,因为我得到了一个新域名。我目前被当前错误困住了: Root@Site:~$ certbot-auto --apache -d example.io -d www.e
关闭。这个问题不符合Stack Overflow guidelines .它目前不接受答案。 这个问题似乎不是关于 a specific programming problem, a softwar
我关注了this tutorial使用 NGINX Ingrss Controller 和带有 letsencrypt 的证书管理器为基本应用程序提供服务。 我可以访问该网站,但 SSL 证书已损坏,
我正在将我的网站推送到 Ubuntu 18.04 上的 AWS Lightsail 实例,但自从我安装了 LetsEncrypt(之前一切都很好)后,我无法访问它。 基本上,我没有得到任何回应,尽管看
关闭。这个问题不符合Stack Overflow guidelines .它目前不接受答案。 这个问题似乎不是关于 a specific programming problem, a softwar
我正在尝试找出如何在不影响用户/客户的情况下将网站/服务器从 digitalocean Droplet 迁移到 Azure (AKS)。 digitalocean 配置具有由letsencrypt(通
我正在尝试找出如何在不影响用户/客户的情况下将网站/服务器从 digitalocean Droplet 迁移到 Azure (AKS)。 digitalocean 配置具有由letsencrypt(通
我正在遵循本指南:https://www.digitalocean.com/community/tutorials/how-to-set-up-let-s-encrypt-certificates-f
我在尝试运行命令时遇到这个奇怪的 letsencrypt 错误 $ certbot certonly --standalone --email example@gmail.com --agree-to
Closed. This question needs details or clarity。它当前不接受答案。
我正在尝试在 DigitalOcean 服务器上的 ubuntu 14 上安装 letsencrypt,但遇到了这个问题。 我尝试使用 sudo 安装但同样的错误,也尝试安装库但没有任何反应。 apt
我已经在我的服务器上安装了 SSL 来保护我的域,现在发生的事情是我在 Chrome 等中遇到了这个错误: Attackers might be trying to steal your inform
我目前在我的服务器上使用 letsencrypt 作为 SSL 证书。随着我服务器上的站点数量不断增加,安装运行 ssh 命令的证书变得非常耗时:letsencrypt。我必须手动取消选中我不想安装
当时,我无法再解决问题了……说真的,我太蠢了,检查了 letsencrypt ssl 并同时创建了一个自签名证书。但是,我认为我已经破坏了 SSL 配置。使用 letsencrypt 的其他域,除了一
我已经在 WHM 上安装了 lets encrypt,但它不适用于域。我希望每当我添加域(附加域)时,它都会被分配让加密但它会 self 分配,这表明网站不安全并且无法在 HTTPS 上运行。 我 c
关闭。这个问题不符合Stack Overflow guidelines .它目前不接受答案。 这个问题似乎不是关于 a specific programming problem, a softwa
我正在尝试在需要时自动为新服务器提供午餐,但在使服务器上线之前我在获取证书时遇到了一些困难。我想要做的是运行一个安装脚本,它准备好所有的包、网站和证书,然后将服务器添加到生产环境中。但是,Letsen
我有一个 digitalocean 服务器(ubuntu 16.4 nginx)+ serverpilot我按照站点教程安装了 letsencrypt:https://www.robertwent.c
我是一名优秀的程序员,十分优秀!