Question

我正试图通过从http转到https来使我的Google服务更加安全。我一直都遵循cert-manager文档以使其正常工作。

https://cert-manager.io/docs/configuration/acme/dns01/google/

我无法在集群上安装头盔，也无法在nginx入口上安装头盔，这就是为什么即时通讯使用dns01挑战而不是http01的原因。

我安装了带有常规清单v0.11.0的cert-manager。

创建了dns管理员服务帐户后，我使用了这个Yaml来创建了发卡行：

apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: example-issuer
spec:
  acme:
    email: email@gmail.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource used to store the account's private key.
      name: example-issuer-account-key
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
      - dns01:
          clouddns:
            project: my-project-id
            # This is the secret used to access the service account
            serviceAccountSecretRef:
              name: clouddns-dns01-solver-svc-acct
              key: key.json

和我的证书对象：

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: example-com
  namespace: default
spec:
  secretName: example-com-tls
  issuerRef:
    # The issuer created previously
    name: example-issuer
  commonName: my-domain.com
  dnsNames:
    - my-domain.com
    - www.my-domain.com

应用这些文件后，我得到了以下结果：

$ kubectl describe issuer
Name:         example-issuer
Namespace:    default
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"cert-manager.io/v1alpha2","kind":"Issuer","metadata":{"annotations":{},"name":"example-issuer","namespace":"default"},"spec...
API Version:  cert-manager.io/v1alpha2
Kind:         Issuer
Metadata:
  Creation Timestamp:  2019-11-28T15:00:33Z
  Generation:          1
  Resource Version:    306180
  Self Link:           /apis/cert-manager.io/v1alpha2/namespaces/default/issuers/example-issuer
  UID:                 d3d1f66e-11ef-11ea-856a-42010a8401a2
Spec:
  Acme:
    Email:  email@gmail.com
    Private Key Secret Ref:
      Name:  example-issuer-account-key
    Server:  https://acme-staging-v02.api.letsencrypt.org/directory
    Solvers:
      dns01:
        Clouddns:
          Project:  my-project-id
          Service Account Secret Ref:
            Key:   key.json
            Name:  clouddns-dns01-solver-svc-acct
Status:
  Acme:
    Last Registered Email:  email@gmail.com
    Uri:                    https://acme-staging-v02.api.letsencrypt.org/acme/acct/11671464
  Conditions:
    Last Transition Time:  2019-11-28T15:00:34Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

$ kubectl get certificates -o wide
NAME          READY   SECRET            ISSUER           STATUS                                                                AGE
example-com   False   example-com-tls   example-issuer   Waiting for CertificateRequest "example-com-1030278725" to complete   49m

$ kubectl get CertificateRequest -o wide
NAME                     READY   ISSUER           STATUS                                                                                            AGE
example-com-1030278725   False   example-issuer   Waiting on certificate issuance from order default/example-com-1030278725-1017944607: "pending"   50m

Answer 1

问题是您正在尝试完成由Google Domains DNS服务器管理的域的DNS01挑战。目前无法执行此操作。

Google Domains DNS不是Google Cloud DNS。您不能将Cert Manager用于Google域的自动DNS01挑战。没有API可以在Google Domains中设置TXT记录。 Cert Manager支持Google Cloud DNS的受支持API。

我的建议：将您域的DNS服务器移至Cloud DNS。

gke证书管理器证书正在进行中

1 个答案: