我正在kubernetes集群中将 cert-manager 与acme客户端一起使用,以通过 letcrypt 颁发证书。为了进行验证,我们已经使用 http01 ,并且一切正常。群集托管在 Azure 上,并使用 Azure DNS 作为域。现在我们意识到,基于dns的验证最适合我们的情况,因此我已经更新了 ClusterIssuer ,以便在测试环境中使用 dns01 验证,并按照{ {3}}。以我为例,IaC管道创建了底层的Azure托管基础架构,包括证书管理器,集群发行人, nginx-ingress-portal 并部署管道部署应用(密钥斗篷)和入口。更改clusterissuer后,两个管道均成功无误。这是cert-manage的一些日志:
I1118 20:26:37.348920 1 controller.go:129] cert-manager/controller/certificates "level"=0 "msg"="syncing item" "key"="default/tls-keycloak"
I1118 20:26:37.349713 1 util.go:162] cert-manager/controller/certificates "level"=0 "msg"="certificate scheduled for renewal" "duration_until_renewal"="1326h49m12.650326282s" "related_resource_kind"="Secret" "related_resource_name"="tls-keycloak" "related_resource_namespace"="default" "resource_kind"="Certificate" "resource_name"="tls-keycloak" "resource_namespace"="default"
I1118 20:26:37.349773 1 sync.go:303] cert-manager/controller/certificates "level"=0 "msg"="certificate does not require re-issuance. certificate renewal scheduled near expiry time." "related_resource_kind"="Secret" "related_resource_name"="tls-keycloak" "related_resource_namespace"="default" "resource_kind"="Certificate" "resource_name"="tls-keycloak" "resource_namespace"="default"
I1118 20:26:37.350088 1 controller.go:135] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="default/tls-keycloak"
I1118 20:27:29.161463 1 controller.go:129] cert-manager/controller/ingress-shim "level"=0 "msg"="syncing item" "key"="default/keycloak"
I1118 20:27:29.161828 1 sync.go:163] cert-manager/controller/ingress-shim "level"=0 "msg"="certificate already exists for ingress resource, ensuring it is up to date" "related_resource_kind"="Certificate" "related_resource_name"="tls-keycloak" "related_resource_namespace"="default" "resource_kind"="Ingress" "resource_name"="keycloak" "resource_namespace"="default"
I1118 20:27:29.162147 1 sync.go:176] cert-manager/controller/ingress-shim "level"=0 "msg"="certificate resource is already up to date for ingress" "related_resource_kind"="Certificate" "related_resource_name"="tls-keycloak" "related_resource_namespace"="default" "resource_kind"="Ingress" "resource_name"="keycloak" "resource_namespace"="default"
I1118 20:27:29.162465 1 controller.go:135] cert-manager/controller/ingress-shim "level"=0 "msg"="finished processing work item" "key"="default/keycloak"
现在,我想确保 dns验证确实有效/肯定会在续订时间到来时。为了触发重新验证过程,我尝试了重新创建证书,nginx,nginx-ingress,cert-manager ,但仍然得到了类似的日志(如上所述)。我觉得如果我重新创建整个群集(使用新的公共IP)-dns验证可能会起作用,但是我不想像其他现有群集那样做,我们希望在不进行群集重新创建的情况下应用相同的dns验证。如果我缺少某些东西,我会感激任何想法/帮助。