我正在使用 cert-manager 来管理我的 Kubernetes 集群中的 ssl 证书。证书管理器创建 Pod 和挑战,但挑战永远不会得到满足。他们总是说:
<块引用>等待 HTTP-01 挑战传播:无法执行自检 GET 请求“http://somedomain/.well-known/acme-challenge/VqlmMCsb019CCFDggs03RyBLZJ0jo53LO...”:获取“http://somedomain/.well -已知/极限挑战/VqlmMCsb019CCFDggs03RyBLZJ0jo53LO...”:EOF
但是当我打开网址(http:///.well-known/acme-challenge/VqlmMCsb019CCFDggs03RyBLZJ0jo53LO...)时,它返回了预期的代码:
<块引用>vzCVdTk1q55MQCNH...zVkKYGvBJkRTvDBHQ.YfUcSfIKvWo_MIULP9jvYcgtsGxwfJMLWUGsB5kFKRc
当我执行 kubectl get certs
时,它说证书已准备就绪:
姓名 | 准备好 | 秘密 | 年龄 |
---|---|---|---|
crt1 | 真的 | crt1-秘密 | 65m |
crt1-秘密 | 真的 | crt1-秘密 | 65m |
crt2 | 真的 | crt2-secret | 65m |
crt2-secret | 真的 | crt2-secret | 65m |
看起来 Let's Encrypt 从不调用(或证书管理器从不指示)这些 url 来验证。
当我列出挑战 kubectl describe challenges
时,它说:
Name: crt-secret-hcgcf-269956107-974455061
Namespace: default
Labels: <none>
Annotations: <none>
API Version: acme.cert-manager.io/v1
Kind: Challenge
Metadata:
Creation Timestamp: 2021-07-23T10:47:27Z
Finalizers:
finalizer.acme.cert-manager.io
Generation: 1
Managed Fields:
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:finalizers:
.:
v:"finalizer.acme.cert-manager.io":
f:ownerReferences:
.:
k:{"uid":"09e39ad0-cc39-421f-80d2-07c2f82680af"}:
.:
f:apiVersion:
f:blockOwnerDeletion:
f:controller:
f:kind:
f:name:
f:uid:
f:spec:
.:
f:authorizationURL:
f:dnsName:
f:issuerRef:
.:
f:group:
f:kind:
f:name:
f:key:
f:solver:
.:
f:http01:
.:
f:ingress:
.:
f:class:
f:ingressTemplate:
UID: 09e39ad0-cc39-421f-80d2-07c2f82680af
Resource Version: 19014474
UID: b914ad18-2f5c-45cd-aa34-4ad7a2786536
Spec:
Authorization URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/1547...9301
Dns Name: mydomain.something
Issuer Ref:
Group: cert-manager.io
Kind: Issuer
Name: letsencrypt
Key: VqlmMCsb019CCFDggs03RyBLZ...nc767h_g.YfUcSfIKv...GxwfJMLWUGsB5kFKRc
Solver:
http01:
Ingress:
Class: nginx
Ingress Template:
Metadata:
Annotations:
nginx.org/mergeable-ingress-type: minion
Service Type: ClusterIP
Token: VqlmMCsb019CC...03RyBLZJ0jo53LOiqnc767h_g
Type: HTTP-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/15...49301/X--4pw
Wildcard: false
Events: <none>
知道如何解决这个问题吗?
更新 1:
当我在另一个 Pod 中运行 curl http://some-domain.tld/.well-known/acme-challenge/VqlmMCsb019CC...gs03RyBLZJ0jo53LOiqnc767h_g
时,它返回:
curl: (52) 来自服务器的空回复
当我在本地(在我的 PC 上)执行此操作时,它会返回我预期的质询响应。