我正在尝试让“让我们加密”与GKE上的cert-manager一起使用。我已遵循以下过程:
kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml
kubectl create namespace cert-manager
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
--name cert-manager \
--namespace cert-manager \
--version v0.7.0 \
jetstack/cert-manager
这导致(在cert-manager名称空间中)
kubectl -n cert-manager get all
NAME READY STATUS
RESTARTS AGE
pod/cert-manager-6d8fc95f98-57c55 1/1 Running 0 26m
pod/cert-manager-cainjector-7c789f4fcc-jdqfs 1/1 Running 0 26m
pod/cert-manager-webhook-86bc6ff498-kcxj8 1/1 Running 0 26m
NAME TYPE CLUSTER-IP EXTERNAL-IP
PORT(S) AGE
service/cert-manager-webhook ClusterIP 10.39.251.139 <none> 443/TCP 26m
...
kubectl -n cert-manager get secrets
NAME TYPE DATA AGE
cert-manager-cainjector-token-mvmsx kubernetes.io/service-account-token 3 30m
cert-manager-token-gk2sp kubernetes.io/service-account-token 3 30m
cert-manager-webhook-ca kubernetes.io/tls 3 30m
cert-manager-webhook-token-6l6k7 kubernetes.io/service-account-token 3 30m
cert-manager-webhook-webhook-tls kubernetes.io/tls 3 30m
default-token-rx6sp kubernetes.io/service-account-token 3 30m
letsencrypt-prod Opaque 1 30m
此后,我将安装Webapp(默认情况下)和(默认情况下)issuer.yml
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: 'me@me.com'
privateKeySecretRef:
name: letsencrypt-prod
https01: {}
和certificate.yml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: test-tls
spec:
secretName: test-me
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: test.me
dnsNames:
- test.me
- www.test.me
acme:
config:
- http01:
ingressClass: nginx
domains:
- test.me
- www.test.me
在这里,我似乎遇到了一个问题:
...
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod
Secret Name: test-me
Status:
Conditions:
Last Transition Time: 2019-03-27T16:35:40Z
Message: Certificate issuance in progress. Temporary certificate issued.
Reason: TemporaryCertificate
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning IssuerNotFound 4m (x2 over 4m) cert-manager clusterissuer.certmanager.k8s.io "letsencrypt-prod" not found
Warning IssuerNotReady 4m cert-manager Issuer letsencrypt-prod not ready
Normal Generated 4m cert-manager Generated new private key
Normal GenerateSelfSigned 4m cert-manager Generated temporary self signed certificate
Normal OrderCreated 4m cert-manager Created Order resource "test-me-tls-202592384"
它确实超越了这个范围。没有证书得到验证...
入口看起来像
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-service
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/add-base-url: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
certmanager.k8s.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- test.me
- www.test.me
secretName: test-me
rules:
- host: test.me
http:
paths:
- path: /
backend:
serviceName: web-cluster-ip-service
servicePort: 80
- host: www.test.me
http:
paths:
- path: /
backend:
serviceName: web-cluster-ip-service
servicePort: 80
最后,我的网站因证书无效而仍然不安全。
发布至:
Common Name (CN) test.me
Organization (O) cert-manager
Organizational Unit (OU) <Not Part Of Certificate>
发布者: 通用名称(CN)cert-manager.local 组织(O)证书经理 组织单位(OU)
我缺少该证书无效的信息。
答案 0 :(得分:1)
https01(在issuer.yml中)是一个错字:这应该是http01