我正在尝试使用Kubernetes中的certbot/certbot docker容器生成SSL证书。为此,我正在使用Job controller,它似乎是最合适的选择。运行独立选项时,出现以下错误:
授权过程失败。 staging.ishankhare.com(http-01): urn:ietf:params:acme:error:connection ::服务器无法连接 到客户端以验证域::提取 http://staging.ishankhare.com/.well-known/acme-challenge/tpumqbcDWudT7EBsgC7IvtSzZvMAuooQ3PmSPh9yng8: 连接期间超时(可能是防火墙问题)
我通过运行一个简单的nginx容器来确保这不是由于DNS条目配置错误引起的,并且可以正确解析。以下是我的Jobs文件:
apiVersion: batch/v1
kind: Job
metadata:
#labels:
# app: certbot-generator
name: certbot
spec:
template:
metadata:
labels:
app: certbot-generate
spec:
volumes:
- name: certs
containers:
- name: certbot
image: certbot/certbot
command: ["certbot"]
#command: ["yes"]
args: ["certonly", "--noninteractive", "--agree-tos", "--staging", "--standalone", "-d", "staging.ishankhare.com", "-m", "me@ishankhare.com"]
volumeMounts:
- name: certs
mountPath: "/etc/letsencrypt/"
#- name: certs
#mountPath: "/opt/"
ports:
- containerPort: 80
- containerPort: 443
restartPolicy: "OnFailure"
和我的服务:
apiVersion: v1
kind: Service
metadata:
name: certbot-lb
labels:
app: certbot-lb
spec:
type: LoadBalancer
loadBalancerIP: 35.189.170.149
ports:
- port: 80
name: "http"
protocol: TCP
- port: 443
name: "tls"
protocol: TCP
selector:
app: certbot-generator
完整的错误消息是这样的:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for staging.ishankhare.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. staging.ishankhare.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://staging.ishankhare.com/.well-known/acme-challenge/tpumqbcDWudT7EBsgC7IvtSzZvMAuooQ3PmSPh9yng8: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: staging.ishankhare.com
Type: connection
Detail: Fetching
http://staging.ishankhare.com/.well-known/acme-challenge/tpumqbcDWudT7EBsgC7IvtSzZvMAuooQ3PmSPh9yng8:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
我也曾尝试将其作为简单的Pod运行,但没有帮助。尽管我仍然认为将它作为Job来完成是可行的方法。
答案 0 :(得分:2)
首先,请注意您的Job定义是有效的,但spec.template.metadata.labels.app: certbot-generate的值与您的Service定义spec.selector.app: certbot-generator 不匹配:是certbot-generate,第二个是certbot-generator。因此,永远不会将作业控制器运行的pod作为端点添加到服务。
调整一个或另一个,但是它们必须匹配,这也许就可以了:)
尽管如此,我不确定将Service与选择器一起使用来定位Job控制器中的短暂吊舱的选择器,也不能与您测试过的简单Pod一起使用。作业创建的certbot-randomId Pod(或您创建的任何简单Pod)总共需要大约15秒才能运行/失败,并且在Pod寿命只有几秒钟后就会触发HTTP验证挑战:目前尚不清楚对我来说,这足以让kubernetes代理在服务和Pod之间工作。
我们可以安全地假设Service确实在工作,因为您提到您已经测试了DNS解析,因此可以通过向其中添加sleep 10(或更多!)来轻松确保这不是时间问题。给更多时间,以便将Pod添加为服务的终结点,并在之前适当地代理certbot触发HTTP质询。只需更改您的Job命令和参数即可:
command: ["/bin/sh"]
args: ["-c", "sleep 10 && certbot certonly --noninteractive --agree-tos --staging --standalone -d staging.ishankhare.com -m me@ishankhare.com"]
在这里,这也许也可以工作:)
话虽如此,我热烈建议您使用cert-manager,可以通过其stable Helm chart轻松安装:它引入的Certificate自定义资源会将您的证书存储在Secret,这使得从任何K8s资源中重用都可以直接进行,并且它会自动进行更新,因此您只需将其全部遗忘即可。