证书管理器和Traefik入口的404挑战响应 [英] 404 challenge response with cert-manager and Traefik ingress

问题描述

美好的一天，我是kubernetes的新人，请尝试设置我的第一个环境.我要遵循以下方案:

Good day, i'm newby in kubernetes and try to setup my first environment. I want to following scheme:

• 我的组织拥有公共IP(x.x.x.x)
• 此IP通过Win Server + IIS路由到专用LAN中的服务器(即 192.168.0.10 ).在IIS上，我有URL重写模块，它充当反向代理
• 我有kubernetes集群
• 我已经将一些服务部署到了k8s
• 我想通过SSL来从Internet上访问此服务，这是从我们进行加密获得的

• My organization has public IP (x.x.x.x)
• This IP routed to server in private LAN (i.e. 192.168.0.10) with win server + IIS. On IIS i have URL rewrite module and it's act as reverse proxy
• I have kubernetes cluster
• I have some service deployed to k8s
• I want to access this service from the internet with SSL, gained from let's encrypt

我已经设置了 k8s 集群，部署了 traefik (v1.7) 入口并将它们配置为让我们加密(设置 http->https 重定向，设置 acme 挑战).效果很好-我可以从LAN或WAN观察到它，并且没有关于证书的警告-我看到绿色锁定.现在，我部署服务(在我的情况下，这是Graylog).再次-我可以从LAN和WAN观察到它，但是在这种情况下，我会看到有关证书的警告(它是由 TRAEFIK_DEFAULT_CERT 发出的).看到此消息后，我尝试搜索更多信息，并发现我需要证书管理器.我部署了cert-manager，创建了一个用于加密颁发者的加密文件(具有ClusterIssuer角色)，但是随后我尝试颁发证书时出现以下错误(在挑战说明中找到):

I have already setup k8s cluster, deploy traefik (v1.7) ingress and configure them for let's encrypt (setup http->https redirect, setup acme challenge). This works fine - I can observe it from LAN or WAN, and there is no warning about certificate - i see green lock. Now I deploy service (in my case this is graylog). Again - I can observe it from LAN and WAN, but in this case i see warning about certificate (it was issued by TRAEFIK_DEFAULT_CERT). After I saw this I try to search more information and found that I need cert-manager. I deploy cert-manager, create let's encrypt issuer (with ClusterIssuer role), but then I try to issue certificate I get following error (found in challenge description):

Waiting for http-01 challenge propagation: wrong status code '404', expected '200'

我的traefik配置图:

My traefik configmap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-conf
  namespace: kube-system
data:
  traefik.toml: |
    # traefik.toml
    defaultEntryPoints = ["http","https"]
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      [entryPoints.http.redirect]
        regex = "^http://(.*)"
        replacement = "https://$1"
      [entryPoints.https]
      address = ":443"
        [entryPoints.https.tls]
    [acme]
      email = "mymail@example.xyz"
      storage = "/acme/acme.json"
      entryPoint = "https"
      onHostRule = true
        [acme.httpChallenge]
        entryPoint = "http"
    [[acme.domains]]
      main = "my-public-domain.com"

我也尝试在其中使用通配符:

I also try to use wildcard there:

apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-conf
  namespace: kube-system
data:
  traefik.toml: |
    # traefik.toml
    defaultEntryPoints = ["http","https"]
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      [entryPoints.http.redirect]
        regex = "^http://(.*)"
        replacement = "https://$1"
      [entryPoints.https]
      address = ":443"
        [entryPoints.https.tls]
    [acme]
      email = "mymail@example.xyz"
      storage = "/acme/acme.json"
      entryPoint = "https"
      onHostRule = true
        [acme.httpChallenge]
        entryPoint = "http"
    [[acme.domains]]
      main = "*.my-public-domain.com"
      sans = ["my-public-domain.com"]

我的集群发行人:

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-dev
spec:
  acme:
    email: mymail@example.xyz
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource used to store the account's private key.
      name: example-issuer-account-key
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: traefik

我的测试证书:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: example-com
  namespace: default
spec:
  secretName: example-com-tls
  renewBefore: 360h # 15d
  commonName: logger.my-public-domain.com
  dnsNames:
  - logger.my-public-domain.com
  issuerRef:
    name: letsencrypt-dev
    kind: ClusterIssuer

我有通配符域的DNS条目，可以ping通

I have DNS entries for wildcard domain and can ping it

我的证书停留在 OrderCreated 状态:

Status:
  Conditions:
    Last Transition Time:  2019-10-08T09:40:30Z
    Message:               Certificate issuance in progress. Temporary certificate issued.
    Reason:                TemporaryCertificate
    Status:                False
    Type:                  Ready
Events:
  Type    Reason        Age   From          Message
  ----    ------        ----  ----          -------
  Normal  OrderCreated  47m   cert-manager  Created Order resource "example-com-3213698372"

订单停留在状态已创建:

Status:
  Challenges:
    Authz URL:  <url>
    Dns Name:   logger.my-public-domain.com
    Issuer Ref:
      Kind:  ClusterIssuer
      Name:  letsencrypt-dev
    Key:     <key>
    Solver:
      http01:
        Ingress:
          Class:  traefik
    Token:        <token>
    Type:         http-01
    URL:          <url>
    Wildcard:     false
  Finalize URL:   <url>
  State:          pending
  URL:            <url>
Events:
  Type    Reason   Age   From          Message
  ----    ------   ----  ----          -------
  Normal  Created  48m   cert-manager  Created Challenge resource "example-com-3213698372-0" for domain "logger.my-public-domain.com"

最后，通过挑战:

Spec:
  Authz URL:  <url>
  Dns Name:   logger.my-public-domain.com
  Issuer Ref:
    Kind:  ClusterIssuer
    Name:  letsencrypt-dev
  Key:     <key>
  Solver:
    http01:
      Ingress:
        Class:  traefik
  Token:        <token>
  Type:         http-01
  URL:          <url>
  Wildcard:     false
Status:
  Presented:   true
  Processing:  true
  Reason:      Waiting for http-01 challenge propagation: wrong status code '404', expected '200'
  State:       pending
Events:
  Type    Reason     Age   From          Message
  ----    ------     ----  ----          -------
  Normal  Started    55m   cert-manager  Challenge scheduled for processing
  Normal  Presented  55m   cert-manager  Presented challenge using http-01 challenge mechanism

我看到有404响应，但我不明白它的原因.在我的IIS上，我具有以下重写规则:让我们加密绕过-将所有与 .well-known/* 匹配的url重写为kubernetes主机.http到https-所有不匹配的url都将加密重定向到https子域重定向-所有子域请求都被重写为kubernetes.

I see that there is 404 response, but I can't understand the reason of it. On my IIS I have following rewrite rules: Let's encrypt bypass - all url matched by .well-known/* rewrited to kubernetes host. http to https - all url not matched by let's encrypt redirected to https sub-domain redirect - all subdomains request rewrited to kubernetes.

在我的局域网中，我拥有自己的DNS服务器，所有来自 my-public-domain.com 的域都映射到内部地址，因此我可以重定向公共主机名 logger.my-public-domain.com(xxxx)到内部 logger.my-public-domain.com(192.168.0.y).

In my LAN i have own DNS server, there all domains from my-public-domain.com has mapping to internal addresses, so I can redirect public hostname logger.my-public-domain.com (x.x.x.x) to internal logger.my-public-domain.com (192.168.0.y).

在挑战赛中，我在traefik仪表板中看到了新的后端和前端.

While challenge active I cat see new backend and frontend in traefik dashboard.

也许我误解了它的工作原理，但是我希望cert-manager颁发带有我们进行加密的证书，并且我可以观察我的服务.

Maybe I misunderstand how it should works, but I expected that cert-manager issue certificate with let's encrypt and I can observe my service.

推荐答案

在您的 traefik.toml ConfigMap中，您将重定向到HTTPS:

In your traefik.toml ConfigMap you're redirecting to HTTPS:

[entryPoints.http.redirect]
regex = "^http://(.*)"
replacement = "https://$1"

使用 kubectl edit configmap -n kube-system traefik 删除替换，保存更改，然后重新启动Traefik pod.那你应该走了.使用您的 Ingress 管理带有注释的重定向，而不是将它们放在 Traefik 配置中.

Remove that replacement using kubectl edit configmap -n kube-system traefik, save the changes then restart the Traefik pod. You should be good to go then. Use your Ingress to manage the redirects with annotations instead of putting them in the Traefik config.

这篇关于证书管理器和Traefik入口的404挑战响应的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！