带有cert-manager和Nginx入口的404挑战响应 [英] 404 challenge response with cert-manager and Nginx ingress
问题描述
我正在尝试通过<<
I'm trying to get letsencrypt/cert-manager running via this Helm chart. The K8s cluster is on Digital Ocean.
我已成功已验证,并按照建议进行了安装已经创建了ClusterIssuer用于登台,并创建了1用于生产. (letsencrypt-staging,letsencrypt-prod)
I successfully verified the installation as recommended and have created a ClusterIssuer for staging, and 1 for production. (letsencrypt-staging, letsencrypt-prod)
问题:acme质询返回404错误.
Problem: The acme challenge returns a 404 error.
$ k get challenge -o wide
NAME STATE DOMAIN REASON AGE
myapp-cert-2315925673-2905389610-1118496475 pending myapp.example.com Waiting for http-01 challenge propagation: wrong status code '404', expected '200' 7m55s
当tls块被注释掉时,Ingress可以在端口80上正常工作.但是,当我定义tls时,端口80上的请求将返回404,这可能是挑战失败的原因.
The Ingress works fine with port 80 when the tls block commented out. When I define tls however, requests on port 80 return a 404, which is probably why the challenge is failing.
注意:使用我的产品ClusterIssuer时,我会得到相同的响应.
Note: I get the same response when using my production ClusterIssuer.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: myapp-ingress
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-staging
labels:
app: myapp
spec:
rules:
- host: myapp.example.com
http:
paths:
- backend:
serviceName: myapp
servicePort: 80
tls:
- hosts:
- myapp.example.com
secretName: myapp-cert
::编辑以添加更多配置:::
:: edited to add more configs ::
按照@Tubc的要求添加更多配置和日志后,由于证书不存在,我更新入口时Nginx似乎抛出了错误.
After adding more configs and logs as requested by @Tubc, it appears that Nginx is throwing an error when I update the ingress because the cert doesn't exist.
ClusterIssuer清单:
ClusterIssuer Manifests:
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: me@example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: me@example.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
服务清单:
---
apiVersion: v1
kind: Service
metadata:
name: myapp
labels:
app: myapp
spec:
ports:
- port: 80
selector:
app: myapp
tier: fe
type: NodePort
Nginx日志:
2019/12/08 14:45:44 [emerg] 62#62:无法加载证书"/etc/nginx/secrets/default-myapp-cert":PEM_read_bio_X509_AUX()失败(SSL:错误:0909006C:PEM例程:get_name:无起始行:预期:受信任的证书) I1208 14:45:44.934644 1 event.go:209] Event(v1.ObjectReference {Kind:"Ingress",命名空间:"default",名称:"myapp-ingress",UID:"610c3304-0565-415d-8cde- 0863bf9325ca,APIVersion:" extensions/v1beta1,ResourceVersion:" 319124,FieldPath:"})):类型:警告"原因:"AddedOrUpdatedWithError"默认/myapp入口的配置已添加或更新,但未应用:为默认值/myapp-ingress重新加载NGINX时出错:nginx重新加载失败:命令/usr/sbin/nginx -s reload stdout:" stderr:"nginx:[emerg]无法加载证书\"/etc/nginx/secrets/default-myapp-cert \":PEM_read_bio_X509_AUX()失败(SSL:错误:0909006C:PEM例程:get_name:无起始行:期望:受信任的证书)\ n 错误结束:退出状态1
2019/12/08 14:45:44 [emerg] 62#62: cannot load certificate "/etc/nginx/secrets/default-myapp-cert": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) I1208 14:45:44.934644 1 event.go:209] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"myapp-ingress", UID:"610c3304-0565-415d-8cde-0863bf9325ca", APIVersion:"extensions/v1beta1", ResourceVersion:"319124", FieldPath:""}): type: 'Warning' reason: 'AddedOrUpdatedWithError' Configuration for default/myapp-ingress was added or updated, but not applied: Error reloading NGINX for default/myapp-ingress: nginx reload failed: Command /usr/sbin/nginx -s reload stdout: "" stderr: "nginx: [emerg] cannot load certificate \"/etc/nginx/secrets/default-myapp-cert\": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)\n" finished with error: exit status 1
推荐答案
尽管复制了文档,但事实证明Ingress上的注释键是错误的.
Despite copying the docs, it turns out the annotation key on the Ingress was wrong.
应为:certmanager.k8s.io/cluster-issuer(而不是所记录的cert-manager.io/cluster-issuer)
It should be: certmanager.k8s.io/cluster-issuer (rather than cert-manager.io/cluster-issuer as documented)
进行此更改后,404消失了,并且证书已正确颁发和配置.
Upon making this change the 404 went away and the certificate was issued and configured properly.
这篇关于带有cert-manager和Nginx入口的404挑战响应的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
