正在进行gke证书管理器证书 [英] gke cert manager certificate in progress
问题描述
我正试图通过将http更改为https来使我的google服务更加安全.我一直在关注cert-manager文档以使其正常工作.
Im trying to make my google services more secure by moving from http to https. I've been follwing the cert-manager documentation to get it working.
https://cert-manager.io/docs/configuration/acme/dns01/google/
我无法在集群上安装头盔,也无法在nginx入口上安装头盔,这就是为什么即时通讯使用dns01挑战而不是http01的原因.
I can't install helm on the cluster nor nginx ingress that's why im using the dns01 challenge instead of the http01.
我安装了带有常规清单v0.11.0的cert-manager.
I installed cert-manager with regular manifests v0.11.0.
创建了dns管理员服务帐户后,我使用了这个Yaml来创建了发卡行:
After creating a dns admin service account, i used this yaml to create the issuer :
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: example-issuer
spec:
acme:
email: email@gmail.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource used to store the account's private key.
name: example-issuer-account-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- dns01:
clouddns:
project: my-project-id
# This is the secret used to access the service account
serviceAccountSecretRef:
name: clouddns-dns01-solver-svc-acct
key: key.json
和我的证书对象:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: example-com
namespace: default
spec:
secretName: example-com-tls
issuerRef:
# The issuer created previously
name: example-issuer
commonName: my-domain.com
dnsNames:
- my-domain.com
- www.my-domain.com
应用这些文件后,我得到了以下结果:
After applying these files, i had this results :
$ kubectl describe issuer
Name: example-issuer
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"cert-manager.io/v1alpha2","kind":"Issuer","metadata":{"annotations":{},"name":"example-issuer","namespace":"default"},"spec...
API Version: cert-manager.io/v1alpha2
Kind: Issuer
Metadata:
Creation Timestamp: 2019-11-28T15:00:33Z
Generation: 1
Resource Version: 306180
Self Link: /apis/cert-manager.io/v1alpha2/namespaces/default/issuers/example-issuer
UID: d3d1f66e-11ef-11ea-856a-42010a8401a2
Spec:
Acme:
Email: email@gmail.com
Private Key Secret Ref:
Name: example-issuer-account-key
Server: https://acme-staging-v02.api.letsencrypt.org/directory
Solvers:
dns01:
Clouddns:
Project: my-project-id
Service Account Secret Ref:
Key: key.json
Name: clouddns-dns01-solver-svc-acct
Status:
Acme:
Last Registered Email: email@gmail.com
Uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/11671464
Conditions:
Last Transition Time: 2019-11-28T15:00:34Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
$ kubectl get certificates -o wide
NAME READY SECRET ISSUER STATUS AGE
example-com False example-com-tls example-issuer Waiting for CertificateRequest "example-com-1030278725" to complete 49m
$ kubectl get CertificateRequest -o wide
NAME READY ISSUER STATUS AGE
example-com-1030278725 False example-issuer Waiting on certificate issuance from order default/example-com-1030278725-1017944607: "pending" 50m
推荐答案
问题是您正在尝试完成由Google Domains DNS服务器管理的域的DNS01挑战.目前无法执行此操作.
The problem is that you are trying to complete DNS01 challenges for a domain managed by Google Domains DNS Servers. This is not possible at this time.
Google Domains DNS不是Google Cloud DNS.您不能将证书管理器用于Google域的自动DNS01挑战.没有API可以在Google Domains中设置TXT记录.Cert Manager支持Google Cloud DNS的受支持API.
Google Domains DNS is not Google Cloud DNS. You cannot use Cert Manager for automatic DNS01 challenges with Google Domains. There is no API to setup TXT records in Google Domains. There is a supported API for Cert Manager for Google Cloud DNS.
我的建议:将您域的DNS服务器移至Cloud DNS.
My recommendation: move your domain's DNS servers to Cloud DNS.
这篇关于正在进行gke证书管理器证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!