我已经在我的私有GKE群集中安装了Jetstack证书管理器。一切顺利,但是我无法获得证书。我得到的错误是:
E1101 03:45:15.754642 1 sync.go:184] cert-manager/controller/challenges "msg"="propagation check failed" "error"="wrong status code '404', expected '200'" "dnsName"="[snip]" "resource_kind"="Challenge" "resource_name"="[snip]-certificate-2096248848-189663135-2951658629" "resource_namespace"="default" "type"="http-01"
I1101 03:45:15.755017 1 controller.go:135] cert-manager/controller/challenges "level"=0 "msg"="finished processing work item" "key"="default/[snip]-certificate-2096248848-189663135-2951658629"
I1101 03:45:25.755400 1 controller.go:129] cert-manager/controller/challenges "level"=0 "msg"="syncing item" "key"="default/[snip]-certificate-2096248848-189663135-2951658629"
I1101 03:45:25.755810 1 pod.go:58] cert-manager/controller/challenges/http01/selfCheck/http01/ensurePod "level"=0 "msg"="found one existing HTTP01 solver pod" "dnsName"="[snip]" "related_resource_kind"="Pod" "related_resource_name"="cm-acme-http-solver-b6k59" "related_resource_namespace"="default" "resource_kind"="Challenge" "resource_name"="[snip]-certificate-2096248848-189663135-2951658629" "resource_namespace"="default" "type"="http-01"
I1101 03:45:25.755897 1 service.go:43] cert-manager/controller/challenges/http01/selfCheck/http01/ensureService "level"=0 "msg"="found one existing HTTP01 solver Service for challenge resource" "dnsName"="[snip]" "related_resource_kind"="Service" "related_resource_name"="cm-acme-http-solver-qsvbv" "related_resource_namespace"="default" "resource_kind"="Challenge" "resource_name"="[snip]-certificate-2096248848-189663135-2951658629" "resource_namespace"="default" "type"="http-01"
I1101 03:45:25.755960 1 ingress.go:91] cert-manager/controller/challenges/http01/selfCheck/http01/ensureIngress "level"=0 "msg"="found one existing HTTP01 solver ingress" "dnsName"="[snip]" "related_resource_kind"="Ingress" "related_resource_name"="cm-acme-http-solver-br7d2" "related_resource_namespace"="default" "resource_kind"="Challenge" "resource_name"="[snip]-certificate-2096248848-189663135-2951658629" "resource_namespace"="default" "type"="http-01"
这与我部署的ClusterIssuer中的错误事件相对应:
警告ErrVerifyACMEAccount 27m(x4超过28m)证书管理器无法验证ACME帐户:获取https://acme-v02.api.letsencrypt.org/directory:拨打tcp:I / O超时
因此,我的CertificateRequest和Certificate资源永远处于“待处理”状态。
这是在初始集群创建期间发生的。我对证书管理器和入口的配置如下:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-uat
spec:
acme:
email: cert-manager+uat@[snip]
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-uat-private-key
solvers:
- http01:
ingress:
class: nginx
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: [snip]-uat-certificate
spec:
secretName: [snip]-uat-tls-cert
duration: 2160h
renewBefore: 360h
commonName: [snip]
dnsNames:
- [snip]
issuerRef:
name: letsencrypt-uat
kind: ClusterIssuer
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: [snip]-uat-tls-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: letsencrypt-uat
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/affinity: "cookie"
spec:
rules:
- host: [snip]
http:
paths:
- backend:
serviceName: [snip]-uat-webapp-service
servicePort: 80
tls:
- hosts:
- [snip]
secretName: [snip]-uat-tls-cert
我在GKE专用集群上,因此也无法运行webhook组件。该文档似乎暗示可以这样运行,但不建议这样做。
此外,我注意到文档提到需要添加防火墙规则以允许网络挂钩正常工作。我想知道这里是否也有意义?上面的错误似乎表明存在某种与网络(防火墙?)相关的问题。
环境详细信息:: GKE(1.14.7-gke.10) Kubernetes(v1.16.2)(我认为) 证书管理器(0.11.0)
已安装kubectl
也许我需要配置防火墙规则吗?
非常感谢, 本
编辑1:
“拨号TCP:I / O超时”是一个红色鲱鱼。仅在DNS用我的群集初始化时,该错误仍然存在。我也越来越接近这样的结论,即传播错误仅仅是LetsEncrypt DNS无法看到我的域与我的IP地址相关(还)。
我在这里使用A记录是否正确?我大约一个小时前进行了DNS更新-有什么方法可以查看LetsEncrypt的DNS看到的内容吗?
答案 0 :(得分:0)
好,谢谢你们的帮助。事实证明,这与证书管理器无关。我在这里玩了两个问题:
但是,最终,由于其他原因,我决定使用DNS求解器。效果很好。
再次感谢!