我按照本教程进行操作,让我们使用kubernetes进行加密:https://github.com/ahmetb/gke-letsencrypt/blob/master/
我遇到了一些问题,cert-manager没有创建所需的机密。 您能帮我解决这个问题吗?
证书管理器错误:
Found status change for Certificate "mydomain.fr" condition "Ready": "False" -> "False"; setting lastTransitionTime to 2018-11-06 17:37:20.683089649 +0000 UTC m=+5887.364224968
Error preparing issuer for certificate coffeer-ci/mydomain.fr: http-01 self check failed for domain "mydomain.fr"
[coffeer-ci/mydomain.fr] Error getting certificate 'domain-tls': secret "domain-tls" not found
这是我的kubernetes对象:
kubectl -n kube-system describe pod cert-manager
Name: cert-manager-7bb46cc6b-scqrp
Namespace: kube-system
Node: gke-inkubator-default-pool-68c0309d-b86b/10.132.0.3
Start Time: Tue, 06 Nov 2018 16:59:10 +0100
Labels: app=cert-manager
pod-template-hash=366027726
release=cert-manager
Annotations: <none>
Status: Running
IP: 10.16.1.132
Controlled By: ReplicaSet/cert-manager-7bb46cc6b
Containers:
cert-manager:
Container ID: docker://d4795cfa85aacd2cbd0c5fd51246c436e3cf953632f4ca4a26e683c5867bf113
Image: quay.io/jetstack/cert-manager-controller:v0.5.0
Image ID: docker-pullable://quay.io/jetstack/cert-manager-controller@sha256:fd89c3c33fd89ffe0a9f91df2f54423397058d4180eccfe90b831859ba46b6e5
Port: <none>
Host Port: <none>
Args:
--cluster-resource-namespace=$(POD_NAMESPACE)
--leader-election-namespace=$(POD_NAMESPACE)
State: Running
Started: Tue, 06 Nov 2018 16:59:13 +0100
Ready: True
Restart Count: 0
Environment:
POD_NAMESPACE: kube-system (v1:metadata.namespace)
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from cert-manager-token-9ck7b (ro)
Conditions:
Type Status
Initialized True
Ready True
PodScheduled True
Volumes:
cert-manager-token-9ck7b:
Type: Secret (a volume populated by a Secret)
SecretName: cert-manager-token-9ck7b
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events: <none>
kubectl describe clusterissuer
Name: letsencrypt-staging
Namespace:
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: ClusterIssuer
Metadata:
Cluster Name:
Creation Timestamp: 2018-11-06T16:00:23Z
Generation: 1
Resource Version: 10184529
Self Link: /apis/certmanager.k8s.io/v1alpha1/clusterissuers/letsencrypt-staging
UID: 11e44fe0-e1dd-11e8-8bc6-42010a840078
Spec:
Acme:
Email: dev@mydomain.com
Http 01:
Private Key Secret Ref:
Key:
Name: letsencrypt-staging
Server: https://acme-staging-v02.api.letsencrypt.org/directory
Status:
Acme:
Uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/7297218
Conditions:
Last Transition Time: 2018-11-06T16:00:33Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
kubectl -n coffeer-ci describe certificate
Name: mydomain.fr
Namespace: coffeer-ci
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Cluster Name:
Creation Timestamp: 2018-11-06T16:10:57Z
Generation: 1
Resource Version: 10197662
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/coffeer-ci/certificates/mydomain.fr
UID: 8b6d508a-e1de-11e8-8bc6-42010a840078
Spec:
Acme:
Config:
Domains:
mydomain.fr
Http 01:
Ingress: coffee-ingress
Common Name: mydomain.fr
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-staging
Secret Name: domain-tls
Status:
Acme:
Order:
Challenges:
Authz URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/wm5MvoFA12U37qdXdBCccyIWezpEsLoxHUGVDacmHpI
Domain: mydomain.fr
Http 01:
Ingress: coffee-ingress
Key: RjHMkquS8Hh4dvJWZp2jLGW-MrSKEba-y8B8PzmVQ-M.4LwovuRj4ZgjrwLuye1cd5ftBRYaGIvtK__igMmDUD8
Token: RjHMkquS8Hh4dvJWZp2jLGW-MrSKEba-y8B8PzmVQ-M
Type: http-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/wm5MvoFA12U37qdXdBCccyIWezpEsLoxHUGVDacmHpI/192521366
Wildcard: false
URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/7297218/12596140
Conditions:
Last Transition Time: 2018-11-06T17:47:28Z
Message: http-01 self check failed for domain "mydomain.bap.fr"
Reason: ValidateError
Status: False
Type: Ready
Events: <none>
kubectl -n coffeer-ci describe ingress
Name: coffee-ingress
Namespace: coffeer-ci
Address: 35.233.8.223
Default backend: default-http-backend:80 (10.16.1.5:8080)
Rules:
Host Path Backends
---- ---- --------
mydomain.fr
/ coffee-service:80 (<none>)
/.well-known/acme-challenge/RjHMkquS8Hh4dvJWZp2jLGW-MrSKEba-y8B8PzmVQ-M cm-acme-http-solver-kw2w4:8089 (<none>)
Annotations:
ingress.kubernetes.io/forwarding-rule: k8s-fw-coffeer-ci-coffee-ingress--4b1e5690f5d3853f
ingress.kubernetes.io/target-proxy: k8s-tp-coffeer-ci-coffee-ingress--4b1e5690f5d3853f
ingress.kubernetes.io/url-map: k8s-um-coffeer-ci-coffee-ingress--4b1e5690f5d3853f
kubernetes.io/ingress.global-static-ip-name: coffeer-ci-static
kubernetes.io/tls-acme: true
ingress.kubernetes.io/backends: {"k8s-be-32603--4b1e5690f5d3853f":"HEALTHY"}
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 40m nginx-ingress-controller Ingress coffeer-ci/coffee-ingress
Normal CreateCertificate 34m cert-manager Successfully created Certificate "domain-tls"
Warning Sync 25m (x23 over 59m) loadbalancer-controller Could not find TLS certificates. Continuing setup for the load balancer to serve HTTP. Note: this behavior is deprecated and will be removed in a future version of ingress-gce
Normal UPDATE 15m (x8 over 39m) nginx-ingress-controller Ingress coffeer-ci/coffee-ingress
Warning Sync 3m (x49 over 1h) loadbalancer-controller Error during sync: googleapi: Error 403: Quota 'BACKEND_SERVICES' exceeded. Limit: 9.0 globally., quotaExceeded
我也遇到错误错误403:超出了配额“ BACKEND_SERVICES”。限制:全局9.0。在入口处达到quotaExceeded 。
谢谢
答案 0 :(得分:1)
为证书coffeer-ci / mydomain.fr准备颁发者时出错:域“ mydomain.fr”的http-01自检失败
表示它无法通过HTTP检查您实际拥有该域。您是否拥有mydomain.fr
?如果是,则需要添加DNS条目以使mydomain.fr
解析到负载均衡器的外部IP(A记录)(或者如果负载均衡器具有名称条目,则它必须是CNAME记录,在(对于AWS ELB))lettscrypt可以使用它来验证您是否拥有域。
另一个错误:
警告同步3m(1小时x49倍)loadbalancer-controller同步期间出错:googleapi:错误403:超出了配额'BACKEND_SERVICES'。限制:全局9.0。,quotaExceeded
看起来是无法验证域的副产品。如果您未指定,并且Ingress看起来像cert-manager为您创建了一种'LoadBalancer'服务类型。看起来它最初是创建它的,但是它一直尝试同步以在GCP上创建它(可能是因为要检查它是否可以配置端口443),但是过了一会儿,GCP API却在节制您。