我遵循了DigitalOcean指南https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes,我遇到了一些非常奇怪的事情。当我在主机名中设置通配符时,letsencrypt无法颁发新证书。而当我只设置已定义的子域时,它就可以完美地工作。
这是我的"工作"。域及其API的配置(这个可以完美地工作):
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- example.com
- api.example.com
secretName: my-tls
rules:
- host: example.com
http:
paths:
- backend:
serviceName: example-frontend
servicePort: 80
- host: api.example.com
http:
paths:
- backend:
serviceName: example-api
servicePort: 80
这是,相反,我试图发出的通配符证书,但这失败了,留下消息&;issuing&;
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- example.com
- *.example.com
secretName: my-tls
rules:
- host: example.com
http:
paths:
- backend:
serviceName: example-frontend
servicePort: 80
- host: api.example.com
http:
paths:
- backend:
serviceName: example-api
servicePort: 80
唯一的区别是主机的第二行。是否存在我不知道的琐碎的众所周知的解决方案?我是Kubernetes的新手,但不是DevOps。
使用cert-manager(letsencrypt)生成通配符证书需要使用DNS-01挑战而不是问题链接中使用的HTTP-01:
让我们加密发出通配符证书吗?
是的。通配符的发布必须通过使用DNS-01挑战的ACMEv2完成。有关更多技术信息,请参阅本文。
有一个关于用cert-manager生成wildcard证书的文档:
- Cert-manager。io: Docs: Configuration: ACME: DNS-01
从DigialOcean的角度来看,有一个专门针对它的指南:
此提供程序使用Kubernetes
Secret资源工作。在下面例如,Secret必须命名为digitalocean-dns,并具有子密钥access-token,其中包含令牌。例如:apiVersion: v1 kind: Secret metadata: name: digitalocean-dns namespace: cert-manager data: # insert your DO access token here access-token: "base64 encoded access-token here"访问令牌必须具有写权限。
要创建个人访问令牌,请参阅DigitalOcean文档。
方便直接链接:https://cloud.digitalocean.com/account/api/tokens/new
要将访问令牌编码为base64,可以使用以下
echo -n 'your-access-token' | base64 -w 0apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: example-issuer spec: acme: ... solvers: - dns01: digitalocean: tokenSecretRef: name: digitalocean-dns key: access-token,Cert-manager。io: Docs: Configuration: ACME: DNS-01: Digitalocean
我想这些额外的资源也会有所帮助:
- Stackoverflow.com:问题:通配符SSL证书与子域重定向在Kubernetes
- Itnext。在Kubernetes 中使用cert-manager使用通配符证书
通配符证书要求DNS-01方法
注意:您可能需要首先在DNS中添加CAA记录。
CAA记录可以被添加到DNS区域
:
Type Value
devops.in CAA 0 issuewild "letsencrypt.org"
获取详细信息:https://sslmate.com/caa/
首先,您必须使用命令 创建用于存储access key的密钥kubectl create secret generic route53-secret --from-literal=secret-access-key="skjdflk4598sf/dkfj490jdfg/dlfjk59lkj"
在此分享示例issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: test123@gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- selector:
dnsZones:
- "devops.in"
dns01:
route53:
region: us-east-1
hostedZoneID: Z2152140EXAMPLE
accessKeyID: AKIA5A5D7EXAMPLE
secretAccessKeySecretRef:
name: route53-secret
key: secret-access-key
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: le-crt
spec:
secretName: tls-secret
issuerRef:
kind: Issuer
name: letsencrypt-prod
commonName: "*.devops.in"
dnsNames:
- "*.devops.in"
同时,确保您的用户有必要的权限来管理Route53
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
},
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/*"
},
{
"Effect": "Allow",
"Action": "route53:ListHostedZonesByName",
"Resource": "*"
}
]
}