个人中心
gpt4 book ai didi

nginx - 使用 DigitalOcean 在 Kubernetes 集群上为我的 Nginx-Ingress 生成通配符证书

转载 作者:行者123 更新时间:2023-12-04 22:35:15 25 4
gpt4 key购买 nike

我遵循了这个 DigitalOcean 指南 https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes ,我遇到了一些很奇怪的事情。在主机名中我设置了一个通配符,然后 letsencrypt未能颁发新证书。而当我只设置定义的子域时,它可以完美地工作。
这是我对域及其 api 的“工作”配置(并且这个配置完美):

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
  tls:
  - hosts:
    - example.com
    - api.example.com
    secretName: my-tls
  rules:
  - host: example.com
    http:
      paths:
      - backend:
          serviceName: example-frontend
          servicePort: 80
  - host: api.example.com
    http:
      paths:
      - backend:
          serviceName: example-api
          servicePort: 80
相反,这是我试图颁发的通配符证书,但这无法留下“正在颁发”的消息。 
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
  tls:
  - hosts:
    - example.com
    - *.example.com
    secretName: my-tls
  rules:
  - host: example.com
    http:
      paths:
      - backend:
          serviceName: example-frontend
          servicePort: 80
  - host: api.example.com
    http:
      paths:
      - backend:
          serviceName: example-api
          servicePort: 80
唯一的区别是主机的第二行。有一个我不知道的微不足道的众所周知的解决方案吗?我是 Kubernetes 的新手,但不是 DevOps 的新手。

最佳答案

使用 cert-manager 生成通配符证书( letsencrypt ) 需要使用 DNS-01挑战而不是 HTTP-01 used in the link from the question :

Does Let’s Encrypt issue wildcard certificates?

Yes. Wildcard issuance must be done via ACMEv2 using the DNS-01 challenge. See this post for more technical information.


有一个关于生成 wildcard 的文档带有 cert-manager 的证书:
  • Cert-manager.io: Docs: Configuration: ACME: DNS-01

    • 从DigialOcean的角度来看,有专门针对它的指南:

    This provider uses a Kubernetes Secret resource to work. In the followingexample, the Secret will have to be named digitalocean-dns and have asub-key access-token with the token in it. For example:

    apiVersion: v1
    kind: Secret
    metadata:
      name: digitalocean-dns
      namespace: cert-manager
    data:
      # insert your DO access token here
      access-token: "base64 encoded access-token here"

    The access token must have write access.

    To create a Personal Access Token, see DigitalOcean documentation.

    Handy direct link: https://cloud.digitalocean.com/account/api/tokens/new

    To encode your access token into base64, you can use the following

    echo -n 'your-access-token' | base64 -w 0
    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
      name: example-issuer
    spec:
      acme:
        ...
        solvers:
        - dns01:
            digitalocean:
              tokenSecretRef:
                name: digitalocean-dns
                key: access-token

    -- Cert-manager.io: Docs: Configuration: ACME: DNS-01: Digitalocean



    我认为这些额外的资源也可以提供帮助:
  • Stackoverflow.com: Questions: Wilcard SSL certificate with subdomain redirect in Kubernetes
  • Itnext.io: Using wildcard certificates with cert-manager in Kubernetes

    • 关于nginx - 使用 DigitalOcean 在 Kubernetes 集群上为我的 Nginx-Ingress 生成通配符证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/66051624/

    25 4 0
    文章推荐: ruby-on-rails - Ruby on rails : problem of verifiying the SSL certificate while installing bundle
    文章推荐: java - Apache NiFi 无法启动流 Controller ,因为 TLS 配置无效 : The keystore properties are not valid
    文章推荐: ssl - IIS10 多个站点和多个 SSL 证书的 SSL 配置
    文章推荐: ssl - 如何在 GitHub 操作中存储和使用 SSL/TLS 证书进行身份验证?
    行者123
    个人简介

    我是一名优秀的程序员,十分优秀!

    滴滴打车优惠券免费领取
    滴滴打车优惠券
    全站热门文章
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com