我正在尝试在 kubernetes 中使用 docker 容器生成certbot/certbotSSL 证书。我为此目的使用Job控制器,这看起来是最合适的选择。当我运行独立选项时,出现以下错误:
授权过程失败。staging.ishankhare.com (http-01(: urn:ietf:params:acme:error:connection :: 服务器无法连接 到客户端以验证域 :: 正在获取 http://staging.ishankhare.com/.well-known/acme-challenge/tpumqbcDWudT7EBsgC7IvtSzZvMAuooQ3PmSPh9yng8: 连接期间超时(可能是防火墙问题(
我已经通过运行一个简单的nginx容器确保这不是由于DNS条目配置错误造成的,并且它可以正确解析。以下是我的Jobs文件:
apiVersion: batch/v1
kind: Job
metadata:
#labels:
# app: certbot-generator
name: certbot
spec:
template:
metadata:
labels:
app: certbot-generate
spec:
volumes:
- name: certs
containers:
- name: certbot
image: certbot/certbot
command: ["certbot"]
#command: ["yes"]
args: ["certonly", "--noninteractive", "--agree-tos", "--staging", "--standalone", "-d", "staging.ishankhare.com", "-m", "me@ishankhare.com"]
volumeMounts:
- name: certs
mountPath: "/etc/letsencrypt/"
#- name: certs
#mountPath: "/opt/"
ports:
- containerPort: 80
- containerPort: 443
restartPolicy: "OnFailure"
和我的服务:
apiVersion: v1
kind: Service
metadata:
name: certbot-lb
labels:
app: certbot-lb
spec:
type: LoadBalancer
loadBalancerIP: 35.189.170.149
ports:
- port: 80
name: "http"
protocol: TCP
- port: 443
name: "tls"
protocol: TCP
selector:
app: certbot-generator
完整的错误消息如下所示:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for staging.ishankhare.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. staging.ishankhare.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://staging.ishankhare.com/.well-known/acme-challenge/tpumqbcDWudT7EBsgC7IvtSzZvMAuooQ3PmSPh9yng8: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: staging.ishankhare.com
Type: connection
Detail: Fetching
http://staging.ishankhare.com/.well-known/acme-challenge/tpumqbcDWudT7EBsgC7IvtSzZvMAuooQ3PmSPh9yng8:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
我也尝试将其作为一个简单的Pod运行,但没有帮助。虽然我仍然觉得把它作为完成Job运行是要走的路。
首先,请注意您的Job定义是有效的,但spec.template.metadata.labels.app: certbot-generate值与您的Service定义不匹配spec.selector.app: certbot-generator:一个是certbot-generate,第二个是certbot-generator。因此,作业控制器运行的 Pod 永远不会作为终结点添加到服务中。
调整一个或另一个,但它们必须匹配,这可能只是工作:)
虽然,我不确定使用带有选择器的Service从Job控制器针对短期 pod 是否有效,在您测试的简单Pod中也是如此。作业(或您创建的任何简单 pod(创建的certbot-randomIdpod 总共需要大约 15 秒才能运行/失败,HTTP 验证质询在 Pod 生命周期仅几秒钟后触发:我不清楚 Kubernetes 代理是否有足够的时间已经在服务和 Pod 之间工作。
我们可以放心地假设Service确实在工作,因为您提到您测试了 DNS 解析,因此您可以通过添加sleep 10(或更多!(来轻松确保这不是计时问题,以便有更多时间将 pod 作为端点添加到服务中,并在 certbot 触发 HTTP 质询之前进行适当的代理。只需更改您的Job命令和参数:
command: ["/bin/sh"]
args: ["-c", "sleep 10 && certbot certonly --noninteractive --agree-tos --staging --standalone -d staging.ishankhare.com -m me@ishankhare.com"]
在这里,这可能也行得通:)
话虽如此,我强烈建议您使用 cert-manager,您可以通过其稳定的 Helm 图表轻松安装它:它引入的Certificate自定义资源将把您的证书存储在一个Secret中,这将使它可以直接从任何 K8s 资源重用,它会自动处理续订,所以你可以忘记这一切。