我按照此说明在我的 EKS 集群 https://cert-manager.io/docs/tutorials/acme/ingress/ 上设置了证书管理器。
这是我的入口
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- '*.test.com'
secretName: test-tls
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: test-service
port:
number: 80
这是发行人。我只是从指令中复制了配置
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: info@test.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
部署后发现证书就绪状态为false
kubectl get certificate
NAME READY SECRET AGE
test-tls False test-tls 2m45s
然后我按照这个来解决https://cert-manager.io/docs/faq/troubleshooting/
我运行了 kubectl describe certificaterequest <request name>
,发现错误 Waiting on certificate issuance from order test-tls-xxx: "pending"
然后运行kubectl describe order test-tls-xxx
,发现错误
Warning Solver 20m cert-manager Failed to determine a valid solver configuration for the set of domains on the Order: no configured challenge solvers can be used for this challenge
。
知道为什么它无法确定有效的求解器吗?我如何测试求解器是否正常工作?
答案 0 :(得分:2)
由于您使用 cluster issuer
中的临时 URL 来验证图像,因此无法正常工作。
请尝试使用生产网址。
这里有一个简单而恰当的 Clusterissuer 和入口 YAML 示例(请注意,您正在尝试使用暂存 API https://acme-staging-v02.api.letsencrypt.org/directory,如果可能,请使用生产服务器地址,以便在所有浏览器中正常工作)
示例:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: cluster-issuer-name
namespace: development
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: harsh@example.com
privateKeySecretRef:
name: secret-name
solvers:
- http01:
ingress:
class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-class-name
cert-manager.io/cluster-issuer: cluster-issuer-name
nginx.ingress.kubernetes.io/rewrite-target: /
name: example-ingress
spec:
rules:
- host: sub.example.com
http:
paths:
- path: /api
backend:
serviceName: service-name
servicePort: 80
tls:
- hosts:
- sub.example.com
secretName: secret-name
注意:当您再次尝试时,请先尝试删除旧对象,例如 ingress、Clusterissuer。