gpt4 book ai didi

kubernetes - cert-manager:没有配置的挑战解决者可以用于这个挑战

转载 作者:行者123 更新时间:2023-12-02 18:39:33 41 4
gpt4 key购买 nike

我按照此说明在我的 EKS 集群上设置了一个证书管理器 https://cert-manager.io/docs/tutorials/acme/ingress/ .

这是我的入口

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- '*.test.com'
secretName: test-tls
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: test-service
port:
number: 80

这是发行人。我只是从指令中复制了配置

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: info@test.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx

部署后发现证书就绪状态为false

kubectl get certificate
NAME READY SECRET AGE
test-tls False test-tls 2m45s

然后我按照这个来解决https://cert-manager.io/docs/faq/troubleshooting/

我跑了 kubectl describe certificaterequest <request name> , 发现错误 Waiting on certificate issuance from order test-tls-xxx: "pending"

然后运行 ​​kubectl describe order test-tls-xxx , 发现错误 Warning Solver 20m cert-manager Failed to determine a valid solver configuration for the set of domains on the Order: no configured challenge solvers can be used for this challenge .

知道为什么它无法确定有效的求解器吗?如何测试求解器是否正常工作?

最佳答案

它不起作用,因为您正在使用 cluster issuer 中的暂存 URL 来验证图像。

请尝试使用生产 URL。

这里是 Clusterissuer 和入口 YAML 的一个简单且正确的示例(请注意,您正在尝试使用暂存 API https://acme-staging-v02.api.letsencrypt.org/directory 如果可能,请使用生产服务器地址,以便它可以在所有浏览器上正常工作)

例子:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: cluster-issuer-name
namespace: development
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: harsh@example.com
privateKeySecretRef:
name: secret-name
solvers:
- http01:
ingress:
class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-class-name
cert-manager.io/cluster-issuer: cluster-issuer-name
nginx.ingress.kubernetes.io/rewrite-target: /
name: example-ingress
spec:
rules:
- host: sub.example.com
http:
paths:
- path: /api
backend:
serviceName: service-name
servicePort: 80
tls:
- hosts:
- sub.example.com
secretName: secret-name

注意:当您再次尝试时,请先尝试删除旧对象,如 ingress、Clusterissuer。

Issuer 与 ClusterIssuer

An Issuer is a namespaced resource, and it is not possible to issuecertificates from an Issuer in a different namespace. This means youwill need to create an Issuer in each namespace you wish to obtainCertificates in.

If you want to create a single Issuer that can be consumed in multiplenamespaces, you should consider creating a ClusterIssuer resource.This is almost identical to the Issuer resource, however isnon-namespaced so it can be used to issue Certificates across allnamespaces.

引用:https://cert-manager.io/docs/concepts/issuer/

通配符证书

您可以根据需要使用,如果您正在使用issuer,您可以更新ingress annotation

cert-manager.io/issuer: issuer-name

如果您尝试获取通配符 * 证书,您将无法使用HTTP auth 方法获取它

solvers:
- http01:
ingress:
class: nginx-class-name

取而代之的是,您必须为通配符 证书使用DNS-auth 方法。

solvers:
- dns01:
cloudDNS:
project: my-project
serviceAccountSecretRef:
name: prod-clouddns-svc-acct-secret
key: service-account.json

阅读更多信息:https://cert-manager.io/docs/configuration/acme/dns01/

获取通配符证书的引用文章:https://medium.com/@harsh.manvar111/wild-card-certificate-using-cert-manager-in-kubernetes-3406b042d5a2

关于kubernetes - cert-manager:没有配置的挑战解决者可以用于这个挑战,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/68219076/

41 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com