获得了tls.crt和tls.key证书,但浏览器仍然引发了非私有连接

时间:2019-03-14 09:48:16

标签: ssl https kubernetes ssl-certificate cert-manager

step 3,我获得了以下IP地址。然后根据此article

自定义了DNS 
$ kubectl get svc
NAME                                       TYPE           CLUSTER-IP      EXTERNAL-IP    PORT(S)                      AGE
kubernetes                                 ClusterIP      10.51.240.1     <none>         443/TCP                      10d
quickstart-nginx-ingress-controller        LoadBalancer   10.51.251.156   35.247.160.2   80:30686/TCP,443:32595/TCP   87s
quickstart-nginx-ingress-default-backend   ClusterIP      10.51.253.66    <none>         80/TCP                       86s
  

分配给入口控制器的外部IP是所有传入流量都应路由到的IP。要启用此功能,请将其添加到您控制的DNS区域,例如example.your-domain.com。

     

此快速入门假定您知道如何为IP地址分配DNS条目。

DNS zone enter image description here

domains.google.com enter image description here enter image description here enter image description here

我可以$ curl -kivL -H 'Host: singh.hbot.dev' 'http://singh.hbot.dev' 这是kuard

的输出 
* Rebuilt URL to: http://singh.hbot.dev/
*   Trying 35.247.160.2...
* TCP_NODELAY set
* Connected to singh.hbot.dev (35.247.160.2) port 80 (#0)
> GET / HTTP/1.1
> Host: singh.hbot.dev
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
HTTP/1.1 308 Permanent Redirect
< Server: nginx/1.15.8
Server: nginx/1.15.8
< Date: Thu, 14 Mar 2019 08:59:24 GMT
Date: Thu, 14 Mar 2019 08:59:24 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 171
Content-Length: 171
< Connection: keep-alive
Connection: keep-alive
< Location: https://singh.hbot.dev/
Location: https://singh.hbot.dev/

<
* Ignoring the response-body
* Connection #0 to host singh.hbot.dev left intact
* Issue another request to this URL: 'https://singh.hbot.dev/'
*   Trying 35.247.160.2...
* TCP_NODELAY set
* Connected to singh.hbot.dev (35.247.160.2) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  start date: Mar 14 08:22:58 2019 GMT
*  expire date: Mar 13 08:22:58 2020 GMT
*  issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fdf3000e200)
> GET / HTTP/2
> Host: singh.hbot.dev
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
HTTP/2 200
< server: nginx/1.15.8
server: nginx/1.15.8
< date: Thu, 14 Mar 2019 08:59:24 GMT
date: Thu, 14 Mar 2019 08:59:24 GMT
< content-type: text/html
content-type: text/html
< content-length: 1689
content-length: 1689
< vary: Accept-Encoding
vary: Accept-Encoding
< strict-transport-security: max-age=15724800; includeSubDomains
strict-transport-security: max-age=15724800; includeSubDomains

<
<!doctype html>

<html lang="en">
<head>
  <meta charset="utf-8">

  <title>KUAR Demo</title>

  <link rel="stylesheet" href="/static/css/bootstrap.min.css">
  <link rel="stylesheet" href="/static/css/styles.css">

  <script>
var pageContext = {"hostname":"kuard-79b5d46779-5slz8","addrs":["10.48.2.20"],"version":"v0.8.1-1","versionColor":"hsl(18,100%,50%)","requestDump":"GET / HTTP/1.1\r\nHost: singh.hbot.dev\r\nAccept: */*\r\nUser-Agent: curl/7.54.0\r\nX-Forwarded-For: 10.148.0.49\r\nX-Forwarded-Host: singh.hbot.dev\r\nX-Forwarded-Port: 443\r\nX-Forwarded-Proto: https\r\nX-Original-Uri: /\r\nX-Real-Ip: 10.148.0.49\r\nX-Request-Id: ba73c8e44498c36480ea0d4164279561\r\nX-Scheme: https","requestProto":"HTTP/1.1","requestAddr":"10.48.2.18:41748"}
  </script>
</head>


<svg style="position: absolute; width: 0; height: 0; overflow: hidden;" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<defs>
<symbol id="icon-power" viewBox="0 0 32 32">
<title>power</title>
<path class="path1" d="M12 0l-12 16h12l-8 16 28-20h-16l12-12z"></path>
</symbol>
<symbol id="icon-notification" viewBox="0 0 32 32">
<title>notification</title>
<path class="path1" d="M16 3c-3.472 0-6.737 1.352-9.192 3.808s-3.808 5.72-3.808 9.192c0 3.472 1.352 6.737 3.808 9.192s5.72 3.808 9.192 3.808c3.472 0 6.737-1.352 9.192-3.808s3.808-5.72 3.808-9.192c0-3.472-1.352-6.737-3.808-9.192s-5.72-3.808-9.192-3.808zM16 0v0c8.837 0 16 7.163 16 16s-7.163 16-16 16c-8.837 0-16-7.163-16-16s7.163-16 16-16zM14 22h4v4h-4zM14 6h4v12h-4z"></path>
</symbol>
</defs>
</svg>

<body>
  <div id="root"></div>
  <script src="/built/bundle.js" type="text/javascript"></script>
</body>
</html>
* Connection #1 to host singh.hbot.dev left intact

继续下一步

$ kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml

customresourcedefinition.apiextensions.k8s.io/certificates.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/challenges.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/issuers.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/orders.certmanager.k8s.io created
$
$ kubectl apply \
>    -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml

customresourcedefinition.apiextensions.k8s.io/certificates.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/challenges.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/clusterissuers.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/issuers.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/orders.certmanager.k8s.io configured
$
$ kubectl label namespace cert-manager certmanager.k8s.io/disable-validation="true"

namespace/cert-manager labeled
$
$ helm repo add jetstack https://charts.jetstack.io
"jetstack" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Skip local chart repository
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈

install cert-manager 

$ helm install --name cert-manager --namespace cert-manager jetstack/cert-manager
NAME:   cert-manager
LAST DEPLOYED: Thu Mar 14 16:06:48 2019
NAMESPACE: cert-manager
STATUS: DEPLOYED

RESOURCES:
==> v1/ClusterRole
NAME                                    AGE
cert-manager-edit                       3s
cert-manager-view                       3s
cert-manager-webhook:webhook-requester  3s

==> v1/Pod(related)
NAME                                      READY  STATUS             RESTARTS  AGE
cert-manager-6f68b58796-w44tn             0/1    ContainerCreating  0         3s
cert-manager-cainjector-67b4696847-l2lhb  0/1    ContainerCreating  0         3s
cert-manager-webhook-6f58884b96-gh52r     0/1    ContainerCreating  0         3s

==> v1/Service
NAME                  TYPE       CLUSTER-IP    EXTERNAL-IP  PORT(S)  AGE
cert-manager-webhook  ClusterIP  10.51.250.12  <none>       443/TCP  3s

==> v1/ServiceAccount
NAME                     SECRETS  AGE
cert-manager             1        3s
cert-manager-cainjector  1        3s
cert-manager-webhook     1        3s

==> v1alpha1/Certificate
NAME                              AGE
cert-manager-webhook-ca           3s
cert-manager-webhook-webhook-tls  3s

==> v1alpha1/Issuer
NAME                           AGE
cert-manager-webhook-ca        2s
cert-manager-webhook-selfsign  3s

==> v1beta1/APIService
NAME                                  AGE
v1beta1.admission.certmanager.k8s.io  3s

==> v1beta1/ClusterRole
NAME                     AGE
cert-manager             3s
cert-manager-cainjector  3s

==> v1beta1/ClusterRoleBinding
NAME                                 AGE
cert-manager                         3s
cert-manager-cainjector              3s
cert-manager-webhook:auth-delegator  3s

==> v1beta1/Deployment
NAME                     READY  UP-TO-DATE  AVAILABLE  AGE
cert-manager             0/1    1           0          3s
cert-manager-cainjector  0/1    1           0          3s
cert-manager-webhook     0/1    1           0          3s

==> v1beta1/RoleBinding
NAME                                                AGE
cert-manager-webhook:webhook-authentication-reader  3s

==> v1beta1/ValidatingWebhookConfiguration
NAME                  AGE
cert-manager-webhook  2s


NOTES:
cert-manager has been deployed successfully!

In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).

More information on the different types of issuers and how to configure them
can be found in our documentation:

https://docs.cert-manager.io/en/latest/reference/issuers.html

For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:

https://docs.cert-manager.io/en/latest/reference/ingress-shim.html

应用修改后的staging-issuer.yaml and production-issuer.yaml

$ kubectl apply -f staging-issuer.yaml
issuer.certmanager.k8s.io/letsencrypt-staging created
$ kubectl apply -f production-issuer.yaml
issuer.certmanager.k8s.io/letsencrypt-prod created

编辑我的ingress.yaml并将其应用

    kubernetes.io/ingress.class: "nginx"    
    certmanager.k8s.io/issuer: "letsencrypt-staging"
    certmanager.k8s.io/acme-challenge-type: http01

我找到了certificate,但是当我describe时,Eventsnone

$ kubectl get certificate
NAME
quickstart-example-tls
$ kubectl describe certificate quickstart-example-tls
Name:         quickstart-example-tls
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2019-03-14T09:17:11Z
  Generation:          1
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  kuard
    UID:                   f30e819b-4639-11e9-a2d5-42010a9400fd
  Resource Version:        2243137
  Self Link:               /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/quickstart-example-tls
  UID:                     f311c99d-4639-11e9-a2d5-42010a9400fd
Spec:
  Acme:
    Config:
      Domains:
        singh.hbot.dev
      Http 01:
        Ingress Class:  nginx
  Dns Names:
    singh.hbot.dev
  Issuer Ref:
    Kind:       Issuer
    Name:       letsencrypt-staging
  Secret Name:  quickstart-example-tls
Status:
  Conditions:
    Last Transition Time:  2019-03-14T09:17:11Z
    Message:               Certificate is up to date and has not expired
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2019-06-12T08:16:05Z
Events:                    <none>

然后我检查secret。文档说

  

完成后,cert-manager将基于入口资源中使用的密钥创建一个包含证书详细信息的密钥。您也可以使用describe命令查看一些详细信息:

尽管我没有ca.crt。我决定继续前进。

$ kubectl get secret
NAME                                   TYPE                                  DATA   AGE
default-token-vnngd                    kubernetes.io/service-account-token   3      10d
letsencrypt-prod                       Opaque                                1      3d1h
letsencrypt-staging                    Opaque                                1      3d1h
quickstart-example-tls                 kubernetes.io/tls                     3      3d1h
quickstart-nginx-ingress-token-c4tjk   kubernetes.io/service-account-token   3      58m
singh-dev-staging-tls                  kubernetes.io/tls                     3      21h
singh-secret                           kubernetes.io/tls                     3      22h
$ kubectl describe secret quickstart-example-tls
Name:         quickstart-example-tls
Namespace:    default
Labels:       certmanager.k8s.io/certificate-name=quickstart-example-tls
Annotations:  certmanager.k8s.io/alt-names: singh.hbot.dev
              certmanager.k8s.io/common-name: singh.hbot.dev
              certmanager.k8s.io/ip-sans:
              certmanager.k8s.io/issuer-kind: Issuer
              certmanager.k8s.io/issuer-name: letsencrypt-staging

Type:  kubernetes.io/tls

Data
====
tls.key:  1675 bytes
ca.crt:   0 bytes
tls.crt:  3545 bytes

ingress.yaml更改为productionapply

sixteen:cert-mgr hellohbot$ kubectl apply -f ingress.yaml
ingress.extensions/kuard created

删除secret 

sixteen:cert-mgr hellohbot$ kubectl delete secret quickstart-example-tls
secret "quickstart-example-tls" deleted

sixteen:cert-mgr hellohbot$ kubectl get certificate
NAME
quickstart-example-tls
sixteen:cert-mgr hellohbot$ kubectl describe certificate quickstart-example-tls
Name:         quickstart-example-tls
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2019-03-14T09:32:45Z
  Generation:          1
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  kuard
    UID:                   1fab9656-463c-11e9-a2d5-42010a9400fd
  Resource Version:        2246373
  Self Link:               /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/quickstart-example-tls
  UID:                     1facf771-463c-11e9-a2d5-42010a9400fd
Spec:
  Acme:
    Config:
      Domains:
        singh.hbot.dev
      Http 01:
        Ingress Class:  nginx
  Dns Names:
    singh.hbot.dev
  Issuer Ref:
    Kind:       Issuer
    Name:       letsencrypt-staging
  Secret Name:  quickstart-example-tls
Status:
  Conditions:
    Last Transition Time:  2019-03-14T09:34:06Z
    Message:               Certificate is up to date and has not expired
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2019-06-12T08:34:04Z
Events:
  Type    Reason              Age   From          Message
  ----    ------              ----  ----          -------
  Normal  Generated           33s   cert-manager  Generated new private key
  Normal  GenerateSelfSigned  33s   cert-manager  Generated temporary self signed certificate
  Normal  OrderCreated        33s   cert-manager  Created Order resource "quickstart-example-tls-1671619353"
  Normal  OrderComplete       6s    cert-manager  Order "quickstart-example-tls-1671619353" completed successfully
  Normal  CertIssued          6s    cert-manager  Certificate issued successfully

检查order 

$ kubectl describe order quickstart-example-tls-1671619353
Name:         quickstart-example-tls-1671619353
Namespace:    default
Labels:       acme.cert-manager.io/certificate-name=quickstart-example-tls
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Order
Metadata:
  Creation Timestamp:  2019-03-14T09:33:39Z
  Generation:          1
  Owner References:
    API Version:           certmanager.k8s.io/v1alpha1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Certificate
    Name:                  quickstart-example-tls
    UID:                   1facf771-463c-11e9-a2d5-42010a9400fd
  Resource Version:        2246369
  Self Link:               /apis/certmanager.k8s.io/v1alpha1/namespaces/default/orders/quickstart-example-tls-1671619353
  UID:                     3fd25e87-463c-11e9-a2d5-42010a9400fd
Spec:
  Config:
    Domains:
      singh.hbot.dev
    Http 01:
      Ingress Class:  nginx
  Csr:                MIIC...RQ8=
  Dns Names:
    singh.hbot.dev
  Issuer Ref:
    Kind:  Issuer
    Name:  letsencrypt-staging
Status:
  Certificate:  LS0t...LQo=
  Challenges:
    Authz URL:  https://acme-staging-v02.api.letsencrypt.org/acme/authz/CkYZY5sWsaEq0uI2l1D2yyQwAjA1kl0_1uFsVY7UDqk
    Config:
      Http 01:
        Ingress Class:  nginx
    Dns Name:           singh.hbot.dev
    Issuer Ref:
      Kind:      Issuer
      Name:      letsencrypt-staging
    Key:         tRxDXBXr_CYcEX1KzU9puQKg1pVZdmEXi7jGWyPAvTs.-kMH8oyhdhqKbua2D8gLPi8FxbeW7rYKBB6w1gMRw2w
    Token:       tRxDXBXr_CYcEX1KzU9puQKg1pVZdmEXi7jGWyPAvTs
    Type:        http-01
    URL:         https://acme-staging-v02.api.letsencrypt.org/acme/challenge/CkYZY5sWsaEq0uI2l1D2yyQwAjA1kl0_1uFsVY7UDqk/270336074
    Wildcard:    false
  Finalize URL:  https://acme-staging-v02.api.letsencrypt.org/acme/finalize/8521062/26692657
  State:         valid
  URL:           https://acme-staging-v02.api.letsencrypt.org/acme/order/8521062/26692657
Events:
  Type    Reason      Age    From          Message
  ----    ------      ----   ----          -------
  Normal  Created     4m27s  cert-manager  Created Challenge resource "quickstart-example-tls-1671619353-0" for domain "singh.hbot.dev"
  Normal  OrderValid  4m     cert-manager  Order completed successfully

解决方案: 多亏Harsh Manvar

从运行的issuer确认我的issuer网址

$ kubectl get issuer letsencrypt-prod -o yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Issuer","metadata":{"annotations":{},"name":"letsencrypt-prod","namespace":"default"},"spec":{"acme":{"email":"contact@hbot.io","http01":{},"privateKeySecretRef":{"name":"letsencrypt-prod"},"server":"https://acme-v02.api.letsencrypt.org/directory"}}}
  creationTimestamp: "2019-03-14T09:12:11Z"
  generation: 1
  name: letsencrypt-prod
  namespace: default
  resourceVersion: "2242148"
  selfLink: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/issuers/letsencrypt-prod
  uid: 405fa7af-4639-11e9-a2d5-42010a9400fd
spec:
  acme:
    email: contact@hbot.io
    http01: {}
    privateKeySecretRef:
      name: letsencrypt-prod
    server: https://acme-v02.api.letsencrypt.org/directory
status:
  acme:
    uri: https://acme-v02.api.letsencrypt.org/acme/acct/53068205
  conditions:
  - lastTransitionTime: "2019-03-14T09:12:12Z"
    message: The ACME account was registered with the ACME server
    reason: ACMEAccountRegistered
    status: "True"
    type: Ready

检查我的ingress 

$ kubectl get ingress --all-namespaces
NAMESPACE   NAME    HOSTS            ADDRESS         PORTS     AGE
default     kuard   singh.hbot.dev   35.198.217.71   80, 443   43m
$ kubectl describe ingress
Name:             kuard
Namespace:        default
Address:          35.198.217.71
Default backend:  default-http-backend:80 (10.48.0.7:8080)
TLS:
  quickstart-example-tls terminates singh.hbot.dev
Rules:
  Host            Path  Backends
  ----            ----  --------
  singh.hbot.dev
                  /   kuard:80 (<none>)
Annotations:
  certmanager.k8s.io/acme-challenge-type:            http01
  certmanager.k8s.io/issuer:                         letsencrypt-prod
  kubectl.kubernetes.io/last-applied-configuration:  {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"certmanager.k8s.io/acme-challenge-type":"http01","certmanager.k8s.io/issuer":"letsencrypt-prod","kubernetes.io/ingress.class":"nginx"},"name":"kuard","namespace":"default"},"spec":{"rules":[{"host":"singh.hbot.dev","http":{"paths":[{"backend":{"serviceName":"kuard","servicePort":80},"path":"/"}]}}],"tls":[{"hosts":["singh.hbot.dev"],"secretName":"quickstart-example-tls"}]}}

  kubernetes.io/ingress.class:  nginx
Events:
  Type    Reason             Age                From                      Message
  ----    ------             ----               ----                      -------
  Normal  CREATE             43m                nginx-ingress-controller  Ingress default/kuard
  Normal  CreateCertificate  43m                cert-manager              Successfully created Certificate "quickstart-example-tls"
  Normal  UPDATE             10m (x2 over 43m)  nginx-ingress-controller  Ingress default/kuard
  Normal  UpdateCertificate  10m                cert-manager              Successfully updated Certificate "quickstart-example-tls"

issuer更改为prod 

sixteen:cert-mgr hellohbot$ kubectl apply -f ingress.yaml
ingress.extensions/kuard configured

删除旧的secret以触发该过程。

sixteen:cert-mgr hellohbot$ kubectl get secret
NAME                                   TYPE                                  DATA   AGE
default-token-vnngd                    kubernetes.io/service-account-token   3      10d
letsencrypt-prod                       Opaque                                1      3d2h
letsencrypt-staging                    Opaque                                1      3d2h
quickstart-example-tls                 kubernetes.io/tls                     3      33m
quickstart-nginx-ingress-token-c4tjk   kubernetes.io/service-account-token   3      103m
singh-dev-staging-tls                  kubernetes.io/tls                     3      21h
singh-secret                           kubernetes.io/tls                     3      23h
sixteen:cert-mgr hellohbot$ kubectl delete secret quickstart-example-tls
secret "quickstart-example-tls" deleted

检查新的certificate 

sixteen:cert-mgr hellohbot$ kubectl get certificate
NAME
quickstart-example-tls
sixteen:cert-mgr hellohbot$ kubectl describe  certificate
Name:         quickstart-example-tls
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2019-03-14T09:32:45Z
  Generation:          1
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  kuard
    UID:                   1fab9656-463c-11e9-a2d5-42010a9400fd
  Resource Version:        2252545
  Self Link:               /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/quickstart-example-tls
  UID:                     1facf771-463c-11e9-a2d5-42010a9400fd
Spec:
  Acme:
    Config:
      Domains:
        singh.hbot.dev
      Http 01:
        Ingress Class:  nginx
  Dns Names:
    singh.hbot.dev
  Issuer Ref:
    Kind:       Issuer
    Name:       letsencrypt-prod
  Secret Name:  quickstart-example-tls
Status:
  Conditions:
    Last Transition Time:  2019-03-14T10:06:53Z
    Message:               Certificate issuance in progress. Temporary certificate issued.
    Reason:                TemporaryCertificate
    Status:                False
    Type:                  Ready
Events:
  Type    Reason              Age                From          Message
  ----    ------              ----               ----          -------
  Normal  OrderCreated        33m                cert-manager  Created Order resource "quickstart-example-tls-1671619353"
  Normal  OrderComplete       33m                cert-manager  Order "quickstart-example-tls-1671619353" completed successfully
  Normal  CertIssued          33m                cert-manager  Certificate issued successfully
  Normal  Generated           19s (x2 over 33m)  cert-manager  Generated new private key
  Normal  GenerateSelfSigned  19s (x2 over 33m)  cert-manager  Generated temporary self signed certificate
  Normal  Cleanup             19s                cert-manager  Deleting old Order resource "quickstart-example-tls-1671619353"
  Normal  OrderCreated        19s                cert-manager  Created Order resource "quickstart-example-tls-2367785339"

1 个答案:

答案 0 :(得分:1)

在入口处,您正在使用发卡行,因为letsencrypt-staging将其更改为生产版本,并且还将tls-secrets更改为可用

用于加密发行方的生产网址:https://acme-v02.api.letsencrypt.org/directory

在发行方中,您已使用entpt登台服务器的登台URL来将其更改为生产URL,然后再次尝试获取tls.cert并将其与https://

一起运行

暂存证书有时无法与https一起使用,浏览器给出错误消息是出于测试目的。

cert-manager和nginx ingress以及其他一切看起来都应该是完美的。

相关问题
最新问题