ssl - 在 Ingress :Issuing certificate as Secret does not exist using 中使用 Let's Encrypt 时出错

Question

我遵循了本教程 https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes使用证书管理器为我的入口颁发 SSL 证书，让我们加密，我运行此错误 Issuing certificate as Secret does not exist。我的配置错了吗？这是一个 Minikube 本地集群。

staging_issuer.yaml

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
 name: letsencrypt-staging
 namespace: cert-manager
spec:
 acme:
   # The ACME server URL
   server: https://acme-staging-v02.api.letsencrypt.org/directory
   # Email address used for ACME registration
   email: email_address
   # Name of a secret used to store the ACME account private key
   privateKeySecretRef:
     name: letsencrypt-staging
   # Enable the HTTP-01 challenge provider
   solvers:
   - http01:
       ingress:
         class:  nginx

入口.yaml

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: echo-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/proxy-read-timeout: "12h"
    cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
  tls:
  - hosts:
    - frontend.info
    - backend.info
    secretName: echo-tls
  rules:
  - host: frontend.info
    http:
      paths:
      - backend:
          serviceName: frontend
          servicePort: 80
  - host: backend.info
    http:
      paths:
      - backend:
          serviceName: backend
          servicePort: 8080

kubectl 描述证书

Name:         echo-tls
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1beta1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2021-01-26T09:29:54Z
  Generation:          1
  Managed Fields:
    API Version:  cert-manager.io/v1alpha2
    Fields Type:  FieldsV1
    Manager:    controller
    Operation:  Update
    Time:       2021-01-26T09:29:55Z
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  echo-ingress
    UID:                   <UID>
  Resource Version:        423812
  UID:                     <UID>
Spec:
  Dns Names:
    frontend.info
    backend.info
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       ClusterIssuer
    Name:       letsencrypt-staging
  Secret Name:  echo-tls
Status:
  Conditions:
    Last Transition Time:        2021-01-26T09:29:54Z
    Message:                     Issuing certificate as Secret does not exist
    Reason:                      DoesNotExist
    Status:                      True
    Type:                        Issuing
    Last Transition Time:        2021-01-26T09:29:54Z
    Message:                     Issuing certificate as Secret does not exist
    Reason:                      DoesNotExist
    Status:                      False
    Type:                        Ready
  Next Private Key Secret Name:  echo-tls-hg5tt
Events:
  Type    Reason     Age    From          Message
  ----    ------     ----   ----          -------
  Normal  Issuing    7h56m  cert-manager  Issuing certificate as Secret does not exist
  Normal  Generated  7h56m  cert-manager  Stored new private key in temporary Secret resource "echo-tls-hg5tt"
  Normal  Requested  7h56m  cert-manager  Created new CertificateRequest resource "echo-tls-hmz86

Answer 1

让我们从回答您关于事件的问题开始:

Events:
  Type    Reason     Age    From          Message
  Normal  Issuing    7h56m  cert-manager  Issuing certificate as Secret does not exist

这不是错误，也不是阻塞因素。正如您在 type 中看到的那样这部分标记为 Normal .您应该担心的事件类型是 Warning事件，就像这里:

Events:
  Type     Reason     Age                From                                                    Message
  Warning  Unhealthy  2m (x2 over 2m)    kubelet, ip-XXX-XXX-XXX-XXX.us-west-2.compute.internal  Readiness probe failed: Get http://XXX.XXX.XXX.XXX:YYY/healthz: dial tcp connect: connection refused

---

现在来解决您真正的问题。您提供的文档在先决条件部分明确指出您需要有一个域名和一个指向 Ingress 使用的 DigitalOcean 负载均衡器的 DNS A 记录(在您的情况下，您希望将其指向 minikube )。假设您是您在 yaml 中提到的两个域的所有者，我注意到它们指向两个不同的 IP 地址:

$ dig frontend.info
;; ANSWER SECTION:
frontend.info.          599     IN      A       104.247.81.51

$ dig backend.info
;; ANSWER SECTION:
backend.info.           21599   IN      A       127.0.0.1

域必须指向 external-ip minikube所在机器的地址正在运行(在我的例子中是云虚拟机)。有了这个，还不够minikube通常在它自己的 docker 容器或 vm 中运行。您需要确保流量实际到达您的 minikube 集群。

为此我使用了 kubectl port-fowarding暴露nginx-controller pods :

sudo kubectl port-forward pod/ingress-nginx-controller-69ccf5d9d8-mdkrr -n kube-system 80:80 --address 0.0.0.0

Forwarding from 0.0.0.0:80 -> 80 

Let's encrypt 需要访问您的应用程序才能证明您是域的所有者。一旦实现，您的证书对象会将其状态更改为 True :

➜  ~ k get certificate                        
NAME       READY   SECRET     AGE
echo-tls   True    echo-tls   104m

这里是最后的测试。请注意，我使用的是我自己的域，我刚刚将其更改为 <your-domain> .在您的情况下，这将是 frontend.info或 backend.info

➜  ~ curl https://<your-domain> -v         
-----
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=test-domain.com
*  start date: Jan 27 10:09:31 2021 GMT
*  expire date: Apr 27 10:09:31 2021 GMT
*  subjectAltName: host "<your-domain>" matched cert's "<your-domain>"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
-----