带有证书管理器和Nginx入口的404挑战响应

时间:2019-12-08 05:57:52

标签: kubernetes kubernetes-ingress

我正在尝试通过letsencrypt/cert-manager Helm图表来运行this。 K8s集群位于Digital Ocean上。

我已成功按照建议进行verified安装,并创建了ClusterIssuer用于登台,并创建了1用于生产。 (letsencrypt-stagingletsencrypt-prod

问题:acme质询返回404错误。

$ k get challenge -o wide
NAME                                                      STATE     DOMAIN                 REASON                                                                               AGE
myapp-cert-2315925673-2905389610-1118496475   pending   myapp.example.com   Waiting for http-01 challenge propagation: wrong status code '404', expected '200'   7m55s

tls块被注释掉之后,Ingress可以在端口80上正常工作。但是,当我定义tls时,端口80上的请求将返回404,这可能是挑战失败的原因。

注意:使用我的作品ClusterIssuer时,我会得到相同的响应。

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: myapp-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt-staging
  labels:
    app: myapp
spec:
  rules:
  - host: myapp.example.com
    http:
      paths:
      - backend:
          serviceName: myapp
          servicePort: 80
  tls:
  - hosts:
    - myapp.example.com
    secretName: myapp-cert

::编辑以添加更多配置:::

按照@Tubc的要求添加更多配置和日志后,由于证书不存在,我更新入口时似乎Nginx抛出错误。

ClusterIssuer清单:

---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: me@example.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: me@example.com
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - http01:
        ingress:
          class: nginx

服务清单:

---
apiVersion: v1
kind: Service
metadata:
  name: myapp
  labels:
    app: myapp
spec:
  ports:
    - port: 80
  selector:
    app: myapp
    tier: fe
  type: NodePort

Nginx日志:

  
    

2019/12/08 14:45:44 [emerg] 62#62:无法加载证书“ / etc / nginx / secrets / default-myapp-cert”:PEM_read_bio_X509_AUX()失败(SSL:错误:0909006C:PEM例程:get_name:没有开始行:预期:受信任的证书)     I1208 14:45:44.934644 1 event.go:209] Event(v1.ObjectReference {Kind:“ Ingress”,命名空间:“ default”,名称:“ myapp-ingress”,UID:“ 610c3304-0565-415d-8cde- 0863bf9325ca“,APIVersion:” extensions / v1beta1“,ResourceVersion:” 319124“,FieldPath:”“})):类型:“警告”原因:“ AddedOrUpdatedWithError”默认/ myapp入口的配置已添加或更新,但未应用:为默认值/ myapp-ingress重新加载NGINX时出错:nginx重新加载失败:命令/ usr / sbin / nginx -s reload stdout:“”     stderr:“ nginx:[emerg]无法加载证书\” / etc / nginx / secrets / default-myapp-cert \”:PEM_read_bio_X509_AUX()失败(SSL:错误:0909006C:PEM例程:get_name:无起始行:预期:可信证书)\ n“     错误结束:退出状态1

  

1 个答案:

答案 0 :(得分:1)

尽管复制了文档,但事实证明Ingress上的注释键不正确。

应为:certmanager.k8s.io/cluster-issuer(而不是记录的cert-manager.io/cluster-issuer

进行此更改后,404消失了,并且证书已正确颁发和配置。

相关问题
最新问题