我有Cloudflare DNS,用于管理我的域。我在Cloudflare中创建了A记录* .play.mydomain.com。
在Kubernetes(GKE)中,我创建了发卡行
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-prod-wildcard
namespace: default
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
#server: https://acme-v02.api.letsencrypt.org/directory
email: myemain@gmail.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod-wildcard
# ACME DNS-01 provider configurations
dns01:
challenges
providers:
- name: cf-dns
cloudflare:
email: myimail@gmail.com
# A secretKeyRef to a cloudflare api key
apiKeySecretRef:
name: cloudflare-api-key
key: api-key.txt
我为cloudflare(cloudflare-api-key)创建了秘密
我还创建了通配符证书:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: wildcard-mydomain-com
namespace: default
spec:
secretName: wildcard-mydomain-com
issuerRef:
#name: letsencrypt-staging-wildcard
name: letsencrypt-prod-wildcard
commonName: '*.play.mydomain.com'
dnsNames:
- play.mydomain.com
acme:
config:
- dns01:
provider: cf-dns
domains:
- '*.play.mydomain.com'
- play.mydomain.com
证书生成成功。
Status:
Conditions:
Last Transition Time: 2019-04-13T00:49:00Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2019-07-11T23:48:57Z
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Generated 4m5s cert-manager Generated new private key
Normal GenerateSelfSigned 4m5s cert-manager Generated temporary self signed certificate
Normal OrderCreated 4m5s cert-manager Created Order resource "wildcard-mydomain-com-880037411"
Normal OrderComplete 84s cert-manager Order "wildcard-mydomain-com-880037411" completed successfully
Normal CertIssued 84s cert-manager Certificate issued successfully
但是在日志cert-manager中,我看到一个错误:
2019-04-13 04:49:00.078 GET
orders controller: Re-queuing item "default/wildcard-mydomain-com-880037411" due to error processing: challenges.certmanager.k8s.io "wildcard-mydomain-com-880037411-1" not found
我也有一个入口:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-mydomain-com
annotations:
kubernetes.io/ingress.class: nginx
certmanager.k8s.io/issuer: letsencrypt-prod-wildcard
certmanager.k8s.io/acme-challenge-type: "dns01"
kubernetes.io/tls-acme: "true"
spec:
tls:
- secretName: letsencrypt-prod-secret-playground
hosts:
- '*.play.mydomain.com'
rules:
- host: '*.play.mydomain.com'
http:
paths:
- backend:
serviceName: playground
servicePort: 83
以及日志中的错误(运行入口之后):
2019-04-13 04:51:17.225 GET
orders controller: Re-queuing item "default/letsencrypt-prod-secret-playground-2579012660" due to error processing: Error constructing Challenge resource for Authorization: ACME server does not allow selected challenge type or no provider is configured for domain "play.mydomain.com"
如何使用通配符证书让我们在kubernetes中使用cert-manager,nginx入口,cloudflare进行加密?
我想要进入并启动许多子域([randomstring] .play.mydomain.com)。
答案 0 :(得分:1)
在我看到的几个问题上,大多数看起来都是正确的
challenges
关键字在Issuer
中似乎不合适。也许是故意解释(?)
# ACME DNS-01 provider configurations
dns01:
providers:
- name: cf-dns
cloudflare:
email: myimail@gmail.com
# A secretKeyRef to a cloudflare api key
apiKeySecretRef:
name: cloudflare-api-key
key: api-key.txt
在您的kind: Issuer
定义中issuerRef
中缺少Certificate
行,而dnsNames
显示play.mydomain.com
而不是*.play.mydomain.com
(是问题)
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: wildcard-mydomain-com
namespace: default
spec:
secretName: wildcard-mydomain-com
issuerRef:
name: letsencrypt-prod-wildcard
kind: Issuer
commonName: '*.play.mydomain.com'
dnsNames:
- *.play.mydomain.com <== here
acme:
config:
- dns01:
provider: cf-dns
domains:
- '*.play.mydomain.com'
- play.mydomain.com
答案 1 :(得分:0)
注意:可能需要先在 DNS 中添加 CAA 记录。
CAA 记录可以添加到 DNS 区域
示例:
Type Value
devops.in CAA 0 issuewild "letsencrypt.org"
秘密存储访问密钥
kubectl create secret generic route53-secret --from-literal=secret-access-key="skjdflk4598sf/dkfj490jdfg/dlfjk59lkj"
在这里分享示例issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: test123@gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- selector:
dnsZones:
- "devops.in"
dns01:
route53:
region: us-east-1
hostedZoneID: Z2152140EXAMPLE
accessKeyID: AKIA5A5D7EXAMPLE
secretAccessKeySecretRef:
name: route53-secret
key: secret-access-key
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: le-crt
spec:
secretName: tls-secret
issuerRef:
kind: Issuer
name: letsencrypt-prod
commonName: "*.devops.in"
dnsNames:
- "*.devops.in"