我的letencrypt订单一直处于待处理状态。我在单节点kubernetes平面上使用cert-manager。我也在用letsencrypt。
kind: Certificate
metadata:
name: example-zone
namespace: default
spec:
secretName: example-zone-tls
renewBefore: 360h # 15d
commonName: example.zone
dnsNames:
- example.zone
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
输出:
pascal$ kubectl get cert,order
NAME READY SECRET AGE
certificate.certmanager.k8s.io/example-zone False example-zone-tls 79m
NAME STATE AGE
order.certmanager.k8s.io/example-zone-2971070786 pending 77m
收到的事件:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning NoMatchingSolver 15s cert-manager Failed to create challenge for domain "example.zone": no configured challenge solvers can be used for this challenge
该证书应该签发,但我认为它挂在我的代理服务器上。没有错误,我不完全知道如何使用haproxy来揭露acme挑战,有人可以向我解释吗?
我的ClusterIssuer:
pascal$ kubectl describe clusterissuer letsencrypt-prod
Name: letsencrypt-prod
Namespace: # yep, it's empty!?
Labels: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: ClusterIssuer
Spec:
Acme:
Email: <my-real-mail>
Http 01:
Ingress Class: haproxy
Private Key Secret Ref:
Name: letsencrypt-prod
Server: https://acme-v02.api.letsencrypt.org/directory
Status:
Acme:
Last Registered Email: <my-real-mail>
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/<hash>
Conditions:
Last Transition Time: 2019-08-17T11:49:05Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
答案 0 :(得分:-2)
如果您未在网络安全规则中打开端口80,则无法满足cert-manager的命令。订单保持待处理状态。理想情况下,您不应该打开始终打开的端口80,而是可以选择在订单完成后关闭此端口(您需要在90天后使用相同的流程来管理续订流程)。