我使用的是Nginx Ingress控制器(内部Ingress(和Cert Manager 0.15.1舵图。Kubernetes版本:1.14.x
我的证书状态未变为True。我已经尝试使用两种类型的挑战者DNS01和HTTP01。这是一样的。错误:
Attaching screen shots[![Kubernetes Ingress Controller Fake Certificate][1]][1]
cluster-issuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: <email>
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
Ingress.yaml
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-devtools-ilb-https
namespace: <>
annotations:
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- domain.con
secretName: create-new-secret
rules:
- host: domain.com
http:
paths:
- path: "/"
backend:
serviceName: hello-service
servicePort: hello-port
- path: "/kube"
backend:
serviceName: hello-kubernetes
servicePort: 80
kubectl描述证书创建新的秘密
Name: create-new-secret
Namespace:
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1alpha2
Kind: Certificate
Metadata:
Creation Timestamp: 2020-07-19T13:30:01Z
Generation: 1
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: <ingress-name>
UID: f0b74bb6-c903-11ea-9960-4201ac100008
Resource Version: 521536
Self Link: /apis/cert-manager.io/v1alpha2/namespaces/<namesapce>/certificates/create-new-secret
UID: f2b63e87-c9c3-11ea-bb3e-4201ac100004
Spec:
Dns Names:
domain.com
Issuer Ref:
Group: cert-manager.io
Kind: Issuer
Name: letsencrypt-staging
Secret Name: create-new-secret
Status:
Conditions:
Last Transition Time: 2020-07-19T13:30:02Z
Message: Waiting for CertificateRequest "create-new-secret-2447513806" to complete
Reason: InProgress
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal GeneratedKey 3m8s cert-manager Generated a new private key
Normal Requested 3m8s cert-manager Created new CertificateRequest resource "create-new-secret-2447513806"
请帮我解决这个
这是因为您使用的是Let's Encrypt中的staging服务器。staging服务器仅用于测试,在您认为可以之后,您可以转移到production服务器。
您需要使用以下示例创建一个新的发卡机构
将入口注释更改为:之后
cert-manager.io/issuer: "letsencrypt-production"
参考文献:
https://letsencrypt.org/docs/staging-environment/
我能够在DNS01 的帮助下解决这个问题
Letsencrypt产品证书颁发者ILB
---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: cert-issuer
namespace: <>
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email:
privateKeySecretRef:
name: dns-prod-issuer
solvers:
- selector: {}
dns01:
clouddns:
project: GCP_project_ID
serviceAccountSecretRef:
name: clouddns-dns01-solver-svc-acct
key: key.json
Letsencrypt产品证书
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: cert
namespace: <>
spec:
secretName: cert-secret
issuerRef:
name: cert-issuer
kind: Issuer
dnsNames:
- host.domain.com
- www.host.domain.com
Ingress
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-https
namespace: <>
annotations:
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
rules:
- host: host.domain.com
http:
paths:
- path: "'"
backend:
serviceName:
servicePort:
tls:
- hosts:
- host.domain.com
secretName: cert-secret