gpt4 book ai didi

ssl - 在 AKS 上调试 cert-manager 证书创建失败

转载 作者:行者123 更新时间:2023-12-04 22:39:28 25 4
gpt4 key购买 nike

我正在 Azure AKS 上部署 cert-manager 并尝试让它请求 Let's Encrypt 证书。它失败了 certificate signed by unknown authority错误,我在进一步排除故障时遇到问题。

不确定这是否是信任 LE 服务器的问题,tunnelfront pod,或者可能是内部 AKS 自行生成的 CA。所以我的问题是:

  • 如何强制 cert-manager 对其不信任的证书进行调试(显示更多信息)?
  • 也许问题经常发生并且有已知的解决方案?
  • 应该采取哪些步骤来进一步调试问题?

  • 我在 jetstack/cert-manager 上创建了一个问题的 Github 页面,但是没有人回答,所以我来了。

    整个故事如下:

    不创建证书。报告以下错误:

    证书: Error from server: conversion webhook for &{map[apiVersion:cert-manager.io/v1alpha2 kind:Certificate metadata:map[creationTimestamp:2020-05-13T17:30:48Z generation:1 name:xxx-tls namespace:test ownerReferences:[map[apiVersion:extensions/v1beta1 blockOwnerDeletion:true controller:true kind:Ingress name:xxx-ingress uid:6d73b182-bbce-4834-aee2-414d2b3aa802]] uid:d40bc037-aef7-4139-868f-bd615a423b38] spec:map[dnsNames:[xxx.test.domain.com] issuerRef:map[group:cert-manager.io kind:ClusterIssuer name:letsencrypt-prod] secretName:xxx-tls] status:map[conditions:[map[lastTransitionTime:2020-05-13T18:55:31Z message:Waiting for CertificateRequest "xxx-tls-1403681706" to complete reason:InProgress status:False type:Ready]]]]} failed: Post https://cert-manager-webhook.cert-manager.svc:443/convert?timeout=30s: x509: certificate signed by unknown authority
    cert-manager-webhook 容器: cert-manager 2020/05/15 14:22:58 http: TLS handshake error from 10.20.0.19:35350: remote error: tls: bad certificate
    在哪里 10.20.0.19tunnelfront 的 IP荚。

    使用 https://cert-manager.io/docs/faq/acme/ 进行调试尝试 kubectl describe order... 时有点“失败”如 kubectl describe certificaterequest...返回带有错误的 CSR 内容(如上),但不返回订单 ID。

    环境细节:
  • Kubernetes 版本:1.15.10
  • 云供应商/供应商:Azure (AKS)
  • 证书管理器版本:0.14.3
  • 安装方法:静态 list (见下文)+ 集群颁发者(见下文)+ 常规 CRD(非旧版)

  • 集群发行者:
    kind: ClusterIssuer
    metadata:
    name: letsencrypt-prod
    namespace: cert-manager
    spec:
    acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: x
    privateKeySecretRef:
    name: letsencrypt-prod
    solvers:
    - dns01:
    azuredns:
    clientID: x
    clientSecretSecretRef:
    name: cert-manager-stage
    key: CLIENT_SECRET
    subscriptionID: x
    tenantID: x
    resourceGroupName: dns-stage
    hostedZoneName: x

    list :
      imagePullSecrets: []
    isOpenshift: false

    priorityClassName: ""
    rbac:
    create: true

    podSecurityPolicy:
    enabled: false

    logLevel: 2

    leaderElection:
    namespace: "kube-system"

    replicaCount: 1

    strategy: {}


    image:
    repository: quay.io/jetstack/cert-manager-controller
    pullPolicy: IfNotPresent

    tag: v0.14.3

    clusterResourceNamespace: ""

    serviceAccount:
    create: true
    name:
    annotations: {}

    extraArgs: []

    extraEnv: []

    resources: {}

    securityContext:
    enabled: false
    fsGroup: 1001
    runAsUser: 1001

    podAnnotations: {}

    podLabels: {}

    nodeSelector: {}

    ingressShim:
    defaultIssuerName: letsencrypt-prod
    defaultIssuerKind: ClusterIssuer

    prometheus:
    enabled: true
    servicemonitor:
    enabled: false
    prometheusInstance: default
    targetPort: 9402
    path: /metrics
    interval: 60s
    scrapeTimeout: 30s
    labels: {}


    affinity: {}

    tolerations: []

    webhook:
    enabled: true
    replicaCount: 1

    strategy: {}

    podAnnotations: {}

    extraArgs: []

    resources: {}

    nodeSelector: {}

    affinity: {}

    tolerations: []

    image:
    repository: quay.io/jetstack/cert-manager-webhook
    pullPolicy: IfNotPresent
    tag: v0.14.3

    injectAPIServerCA: true

    securePort: 10250

    cainjector:
    replicaCount: 1

    strategy: {}

    podAnnotations: {}

    extraArgs: []

    resources: {}

    nodeSelector: {}

    affinity: {}

    tolerations: []

    image:
    repository: quay.io/jetstack/cert-manager-cainjector
    pullPolicy: IfNotPresent
    tag: v0.14.3

    最佳答案

    似乎 v0.14.3有某种错误。 v0.15.0 不会出现此问题.

    关于ssl - 在 AKS 上调试 cert-manager 证书创建失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/61914209/

    25 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com