cert-manager:没有配置的挑战求解器可用于此挑战

时间:2021-07-02 02:57:31

标签: kubernetes amazon-eks lets-encrypt cert-manager

我按照此说明在我的 EKS 集群 https://cert-manager.io/docs/tutorials/acme/ingress/ 上设置了证书管理器。

这是我的入口

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/issuer: "letsencrypt-staging"
spec:
  tls:
  - hosts:
      - '*.test.com'
    secretName: test-tls
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: test-service
                port:
                  number: 80

这是发行人。我只是从指令中复制了配置

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: info@test.com
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
      - http01:
          ingress:
            class: nginx

部署后发现证书就绪状态为false

kubectl get certificate
NAME          READY   SECRET        AGE
test-tls   False   test-tls   2m45s

然后我按照这个来解决https://cert-manager.io/docs/faq/troubleshooting/

我运行了 kubectl describe certificaterequest <request name>,发现错误 Waiting on certificate issuance from order test-tls-xxx: "pending"

然后运行kubectl describe order test-tls-xxx,发现错误 Warning Solver 20m cert-manager Failed to determine a valid solver configuration for the set of domains on the Order: no configured challenge solvers can be used for this challenge

知道为什么它无法确定有效的求解器吗?我如何测试求解器是否正常工作?

1 个答案:

答案 0 :(得分:2)

由于您使用 cluster issuer 中的临时 URL 来验证图像,因此无法正常工作。

请尝试使用生产网址。

这里有一个简单而恰当的 Clusterissuer 和入口 YAML 示例(请注意,您正在尝试使用暂存 API https://acme-staging-v02.api.letsencrypt.org/directory,如果可能,请使用生产服务器地址,以便在所有浏览器中正常工作)

示例:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: cluster-issuer-name
  namespace: development
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: harsh@example.com
    privateKeySecretRef:
      name: secret-name
    solvers:
    - http01:
        ingress:
          class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx-class-name
    cert-manager.io/cluster-issuer: cluster-issuer-name
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: example-ingress
spec:
  rules:
  - host: sub.example.com
    http:
      paths:
      - path: /api
        backend:
          serviceName: service-name
          servicePort: 80
  tls:
  - hosts:
    - sub.example.com
    secretName: secret-name

注意:当您再次尝试时,请先尝试删除旧对象,例如 ingress、Clusterissuer。

相关问题
最新问题