证书管理器和Traefik入口的404挑战响应 [英] 404 challenge response with cert-manager and Traefik ingress
问题描述
美好的一天,我是kubernetes的新人,请尝试设置我的第一个环境.我要遵循以下方案:
Good day, i'm newby in kubernetes and try to setup my first environment. I want to following scheme:
- 我的组织拥有公共IP(x.x.x.x)
- 此IP通过Win Server + IIS路由到专用LAN中的服务器(即
192.168.0.10
).在IIS上,我有URL重写模块,它充当反向代理 - 我有kubernetes集群
- 我已经将一些服务部署到了k8s
- 我想通过SSL来从Internet上访问此服务,这是从我们进行加密获得的
- My organization has public IP (x.x.x.x)
- This IP routed to server in private LAN (i.e.
192.168.0.10
) with win server + IIS. On IIS i have URL rewrite module and it's act as reverse proxy - I have kubernetes cluster
- I have some service deployed to k8s
- I want to access this service from the internet with SSL, gained from let's encrypt
我已经设置了 k8s 集群,部署了 traefik (v1.7
) 入口并将它们配置为让我们加密(设置 http->https
重定向,设置 acme 挑战).效果很好-我可以从LAN或WAN观察到它,并且没有关于证书的警告-我看到绿色锁定.现在,我部署服务(在我的情况下,这是Graylog).再次-我可以从LAN和WAN观察到它,但是在这种情况下,我会看到有关证书的警告(它是由 TRAEFIK_DEFAULT_CERT
发出的).看到此消息后,我尝试搜索更多信息,并发现我需要证书管理器.我部署了cert-manager,创建了一个用于加密颁发者的加密文件(具有ClusterIssuer角色),但是随后我尝试颁发证书时出现以下错误(在挑战说明中找到):
I have already setup k8s cluster, deploy traefik (v1.7
) ingress and configure them for let's encrypt (setup http->https
redirect, setup acme challenge). This works fine - I can observe it from LAN or WAN, and there is no warning about certificate - i see green lock.
Now I deploy service (in my case this is graylog). Again - I can observe it from LAN and WAN, but in this case i see warning about certificate (it was issued by TRAEFIK_DEFAULT_CERT
).
After I saw this I try to search more information and found that I need cert-manager. I deploy cert-manager, create let's encrypt issuer (with ClusterIssuer role), but then I try to issue certificate I get following error (found in challenge description):
Waiting for http-01 challenge propagation: wrong status code '404', expected '200'
我的traefik配置图:
My traefik configmap:
apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-conf
namespace: kube-system
data:
traefik.toml: |
# traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
regex = "^http://(.*)"
replacement = "https://$1"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "mymail@example.xyz"
storage = "/acme/acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "my-public-domain.com"
我也尝试在其中使用通配符:
I also try to use wildcard there:
apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-conf
namespace: kube-system
data:
traefik.toml: |
# traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
regex = "^http://(.*)"
replacement = "https://$1"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "mymail@example.xyz"
storage = "/acme/acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "*.my-public-domain.com"
sans = ["my-public-domain.com"]
我的集群发行人:
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-dev
spec:
acme:
email: mymail@example.xyz
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource used to store the account's private key.
name: example-issuer-account-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: traefik
我的测试证书:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: example-com
namespace: default
spec:
secretName: example-com-tls
renewBefore: 360h # 15d
commonName: logger.my-public-domain.com
dnsNames:
- logger.my-public-domain.com
issuerRef:
name: letsencrypt-dev
kind: ClusterIssuer
我有通配符域的DNS条目,可以ping通
I have DNS entries for wildcard domain and can ping it
我的证书停留在 OrderCreated
状态:
Status:
Conditions:
Last Transition Time: 2019-10-08T09:40:30Z
Message: Certificate issuance in progress. Temporary certificate issued.
Reason: TemporaryCertificate
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 47m cert-manager Created Order resource "example-com-3213698372"
订单停留在状态已创建
:
Status:
Challenges:
Authz URL: <url>
Dns Name: logger.my-public-domain.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-dev
Key: <key>
Solver:
http01:
Ingress:
Class: traefik
Token: <token>
Type: http-01
URL: <url>
Wildcard: false
Finalize URL: <url>
State: pending
URL: <url>
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 48m cert-manager Created Challenge resource "example-com-3213698372-0" for domain "logger.my-public-domain.com"
最后,通过挑战:
Spec:
Authz URL: <url>
Dns Name: logger.my-public-domain.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-dev
Key: <key>
Solver:
http01:
Ingress:
Class: traefik
Token: <token>
Type: http-01
URL: <url>
Wildcard: false
Status:
Presented: true
Processing: true
Reason: Waiting for http-01 challenge propagation: wrong status code '404', expected '200'
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 55m cert-manager Challenge scheduled for processing
Normal Presented 55m cert-manager Presented challenge using http-01 challenge mechanism
我看到有404响应,但我不明白它的原因.在我的IIS上,我具有以下重写规则:让我们加密绕过-将所有与 .well-known/*
匹配的url重写为kubernetes主机.http到https-所有不匹配的url都将加密重定向到https子域重定向-所有子域请求都被重写为kubernetes.
I see that there is 404 response, but I can't understand the reason of it.
On my IIS I have following rewrite rules:
Let's encrypt bypass - all url matched by .well-known/*
rewrited to kubernetes host. http to https - all url not matched by let's encrypt redirected to https
sub-domain redirect - all subdomains request rewrited to kubernetes.
在我的局域网中,我拥有自己的DNS服务器,所有来自 my-public-domain.com
的域都映射到内部地址,因此我可以重定向公共主机名 logger.my-public-domain.com(xxxx)
到内部 logger.my-public-domain.com(192.168.0.y)
.
In my LAN i have own DNS server, there all domains from my-public-domain.com
has mapping to internal addresses, so I can redirect public hostname logger.my-public-domain.com (x.x.x.x)
to internal logger.my-public-domain.com (192.168.0.y)
.
在挑战赛中,我在traefik仪表板中看到了新的后端和前端.
While challenge active I cat see new backend and frontend in traefik dashboard.
也许我误解了它的工作原理,但是我希望cert-manager颁发带有我们进行加密的证书,并且我可以观察我的服务.
Maybe I misunderstand how it should works, but I expected that cert-manager issue certificate with let's encrypt and I can observe my service.
推荐答案
在您的 traefik.toml
ConfigMap中,您将重定向到HTTPS:
In your traefik.toml
ConfigMap you're redirecting to HTTPS:
[entryPoints.http.redirect]
regex = "^http://(.*)"
replacement = "https://$1"
使用 kubectl edit configmap -n kube-system traefik
删除替换,保存更改,然后重新启动Traefik pod.那你应该走了.使用您的 Ingress 管理带有注释的重定向,而不是将它们放在 Traefik 配置中.
Remove that replacement using kubectl edit configmap -n kube-system traefik
, save the changes then restart the Traefik pod. You should be good to go then. Use your Ingress to manage the redirects with annotations instead of putting them in the Traefik config.
这篇关于证书管理器和Traefik入口的404挑战响应的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!