我正在尝试为另一个子域创建另一个Issuer can。我遵循这个例子:Digital Ocean Kubernetes教程,在这个例子中,作者为http://echo.starter-kit.online/子域,我能够使用我自己的子域开始工作。
我正试图通过创建一个新的Issuer来为quote.starter-kit.online示例工作,如下所示:
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: quote-letsencrypt-nginx
namespace: backend
spec:
# ACME issuer configuration
# `email` - the email address to be associated with the ACME account (make sure it's a valid one)
# `server` - the URL used to access the ACME server’s directory endpoint
# `privateKeySecretRef` - Kubernetes Secret to store the automatically generated ACME account private key
acme:
email: my@mydomain.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: quote-letsencrypt-nginx-private-key
solvers:
# Use the HTTP-01 challenge provider
- http01:
ingress:
class: nginx
以及以下引用子域的Ingress规则:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-quote
namespace: backend
annotations:
cert-manager.io/issuer: letsencrypt-nginx
spec:
tls:
- hosts:
- quote.mydomain.com
secretName: quote-letsencrypt
rules:
- host: quote.mydomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: quote
port:
number: 8080
ingressClassName: nginx
当我执行以下操作时:
>kubectl get certificates -n backend
NAME READY SECRET AGE
letsencrypt-nginx True letsencrypt-nginx 5d2h
quote-letsencrypt-nginx False quote-letsencrypt-nginx 2s
我能看到证书。然而,当我执行以下操作时,我发现https不起作用:
curl -Li quote.mydomain.com
HTTP/1.1 308 Permanent Redirect
Date: Sun, 02 Jan 2022 23:49:40 GMT
Content-Type: text/html
Content-Length: 164
Connection: keep-alive
Location: https://quote.mydomain.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
尝试:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-quote
namespace: backend
annotations:
cert-manager.io/issuer: quote-letsencrypt-nginx # <-- changed
spec:
tls:
- hosts:
- quote.mydomain.com
secretName: quote-letsencrypt-tls
rules:
...