Kubernetes让我们加密证书管理器未找到错误密码

时间:2018-11-06 17:55:53

标签: kubernetes lets-encrypt cert-manager

我按照本教程进行操作,让我们使用kubernetes进行加密:https://github.com/ahmetb/gke-letsencrypt/blob/master/

我遇到了一些问题,cert-manager没有创建所需的机密。 您能帮我解决这个问题吗?

证书管理器错误:

Found status change for Certificate "mydomain.fr" condition "Ready": "False" -> "False"; setting lastTransitionTime to 2018-11-06 17:37:20.683089649 +0000 UTC m=+5887.364224968
Error preparing issuer for certificate coffeer-ci/mydomain.fr: http-01 self check failed for domain "mydomain.fr"
[coffeer-ci/mydomain.fr] Error getting certificate 'domain-tls': secret "domain-tls" not found

这是我的kubernetes对象:

kubectl -n kube-system describe pod cert-manager

Name:           cert-manager-7bb46cc6b-scqrp
Namespace:      kube-system
Node:           gke-inkubator-default-pool-68c0309d-b86b/10.132.0.3
Start Time:     Tue, 06 Nov 2018 16:59:10 +0100
Labels:         app=cert-manager
                pod-template-hash=366027726
                release=cert-manager
Annotations:    <none>
Status:         Running
IP:             10.16.1.132
Controlled By:  ReplicaSet/cert-manager-7bb46cc6b
Containers:
  cert-manager:
    Container ID:  docker://d4795cfa85aacd2cbd0c5fd51246c436e3cf953632f4ca4a26e683c5867bf113
    Image:         quay.io/jetstack/cert-manager-controller:v0.5.0
    Image ID:      docker-pullable://quay.io/jetstack/cert-manager-controller@sha256:fd89c3c33fd89ffe0a9f91df2f54423397058d4180eccfe90b831859ba46b6e5
    Port:          <none>
    Host Port:     <none>
    Args:
      --cluster-resource-namespace=$(POD_NAMESPACE)
      --leader-election-namespace=$(POD_NAMESPACE)
    State:          Running
      Started:      Tue, 06 Nov 2018 16:59:13 +0100
    Ready:          True
    Restart Count:  0
    Environment:
      POD_NAMESPACE:  kube-system (v1:metadata.namespace)
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from cert-manager-token-9ck7b (ro)
Conditions:
  Type           Status
  Initialized    True 
  Ready          True 
  PodScheduled   True 
Volumes:
  cert-manager-token-9ck7b:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  cert-manager-token-9ck7b
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:          <none>

kubectl describe clusterissuer

Name:         letsencrypt-staging
Namespace:    
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         ClusterIssuer
Metadata:
  Cluster Name:        
  Creation Timestamp:  2018-11-06T16:00:23Z
  Generation:          1
  Resource Version:    10184529
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/clusterissuers/letsencrypt-staging
  UID:                 11e44fe0-e1dd-11e8-8bc6-42010a840078
Spec:
  Acme:
    Email:  dev@mydomain.com
    Http 01:
    Private Key Secret Ref:
      Key:   
      Name:  letsencrypt-staging
    Server:  https://acme-staging-v02.api.letsencrypt.org/directory
Status:
  Acme:
    Uri:  https://acme-staging-v02.api.letsencrypt.org/acme/acct/7297218
  Conditions:
    Last Transition Time:  2018-11-06T16:00:33Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

kubectl -n coffeer-ci describe certificate

Name:         mydomain.fr
Namespace:    coffeer-ci
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Cluster Name:        
  Creation Timestamp:  2018-11-06T16:10:57Z
  Generation:          1
  Resource Version:    10197662
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/namespaces/coffeer-ci/certificates/mydomain.fr
  UID:                 8b6d508a-e1de-11e8-8bc6-42010a840078
Spec:
  Acme:
    Config:
      Domains:
        mydomain.fr
      Http 01:
        Ingress:  coffee-ingress
  Common Name:    mydomain.fr
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-staging
  Secret Name:  domain-tls
Status:
  Acme:
    Order:
      Challenges:
        Authz URL:  https://acme-staging-v02.api.letsencrypt.org/acme/authz/wm5MvoFA12U37qdXdBCccyIWezpEsLoxHUGVDacmHpI
        Domain:     mydomain.fr
        Http 01:
          Ingress:  coffee-ingress
        Key:        RjHMkquS8Hh4dvJWZp2jLGW-MrSKEba-y8B8PzmVQ-M.4LwovuRj4ZgjrwLuye1cd5ftBRYaGIvtK__igMmDUD8
        Token:      RjHMkquS8Hh4dvJWZp2jLGW-MrSKEba-y8B8PzmVQ-M
        Type:       http-01
        URL:        https://acme-staging-v02.api.letsencrypt.org/acme/challenge/wm5MvoFA12U37qdXdBCccyIWezpEsLoxHUGVDacmHpI/192521366
        Wildcard:   false
      URL:          https://acme-staging-v02.api.letsencrypt.org/acme/order/7297218/12596140
  Conditions:
    Last Transition Time:  2018-11-06T17:47:28Z
    Message:               http-01 self check failed for domain "mydomain.bap.fr"
    Reason:                ValidateError
    Status:                False
    Type:                  Ready
Events:                    <none>

kubectl -n coffeer-ci describe ingress

Name:             coffee-ingress
Namespace:        coffeer-ci
Address:          35.233.8.223
Default backend:  default-http-backend:80 (10.16.1.5:8080)
Rules:
  Host                       Path  Backends
  ----                       ----  --------
  mydomain.fr  
                             /                                                                         coffee-service:80 (<none>)
                             /.well-known/acme-challenge/RjHMkquS8Hh4dvJWZp2jLGW-MrSKEba-y8B8PzmVQ-M   cm-acme-http-solver-kw2w4:8089 (<none>)
Annotations:
  ingress.kubernetes.io/forwarding-rule:        k8s-fw-coffeer-ci-coffee-ingress--4b1e5690f5d3853f
  ingress.kubernetes.io/target-proxy:           k8s-tp-coffeer-ci-coffee-ingress--4b1e5690f5d3853f
  ingress.kubernetes.io/url-map:                k8s-um-coffeer-ci-coffee-ingress--4b1e5690f5d3853f
  kubernetes.io/ingress.global-static-ip-name:  coffeer-ci-static
  kubernetes.io/tls-acme:                       true
  ingress.kubernetes.io/backends:               {"k8s-be-32603--4b1e5690f5d3853f":"HEALTHY"}
Events:
  Type     Reason             Age                 From                      Message
  ----     ------             ----                ----                      -------
  Normal   CREATE             40m                 nginx-ingress-controller  Ingress coffeer-ci/coffee-ingress
  Normal   CreateCertificate  34m                 cert-manager              Successfully created Certificate "domain-tls"
  Warning  Sync               25m (x23 over 59m)  loadbalancer-controller   Could not find TLS certificates. Continuing setup for the load balancer to serve HTTP. Note: this behavior is deprecated and will be removed in a future version of ingress-gce
  Normal   UPDATE             15m (x8 over 39m)   nginx-ingress-controller  Ingress coffeer-ci/coffee-ingress
  Warning  Sync               3m (x49 over 1h)    loadbalancer-controller   Error during sync: googleapi: Error 403: Quota 'BACKEND_SERVICES' exceeded. Limit: 9.0 globally., quotaExceeded

我也遇到错误错误403:超出了配额“ BACKEND_SERVICES”。限制:全局9.0。在入口处达到quotaExceeded

谢谢

1 个答案:

答案 0 :(得分:1)

  

为证书coffeer-ci / mydomain.fr准备颁发者时出错:域“ mydomain.fr”的http-01自检失败

表示它无法通过HTTP检查您实际拥有该域。您是否拥有mydomain.fr?如果是,则需要添加DNS条目以使mydomain.fr解析到负载均衡器的外部IP(A记录)(或者如果负载均衡器具有名称条目,则它必须是CNAME记录,在(对于AWS ELB))lettscrypt可以使用它来验证您是否拥有域。

另一个错误:

  

警告同步3m(1小时x49倍)loadbalancer-controller同步期间出错:googleapi:错误403:超出了配额'BACKEND_SERVICES'。限制:全局9.0。,quotaExceeded

看起来是无法验证域的副产品。如果您未指定,并且Ingress看起来像cert-manager为您创建了一种'LoadBalancer'服务类型。看起来它最初是创建它的,但是它一直尝试同步以在GCP上创建它(可能是因为要检查它是否可以配置端口443),但是过了一会儿,GCP API却在节制您。