等待HTTP-01挑战传播:无法执行自检GET请求-ISTIO [英] Waiting for HTTP-01 challenge propagation: failed to perform self check GET request - ISTIO

问题描述

等待约1分钟后出现此错误

I get this error after waiting for a while ~1 min

Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://jenkins.xyz.in/.well-known/acme-challenge/AoV9UtBq1rwPLDXWjrq85G5Peg_Z6rLKSZyYL_Vfe4I': Get "http://jenkins.xyz.in/.well-known/acme-challenge/AoV9UtBq1rwPLDXWjrq85G5Peg_Z6rLKSZyYL_Vfe4I": dial tcp 103.66.96.201:80: connect: connection timed out

我可以从任何地方(互联网)在浏览器中访问此URL

I am able to access this url in the browser from anywhere (internet)

curl -v http://jenkins.xyz.in/.well-known/acme-challenge/AoV9UtBq1rwPLDXWjrq85G5Peg_Z6rLKSZyYL_Vfe4I
*   Trying 103.66.96.201:80...
* Connected to jenkins.xyz.in (103.66.96.201) port 80 (#0)
> GET /.well-known/acme-challenge/AoV9UtBq1rwPLDXWjrq85G5Peg_Z6rLKSZyYL_Vfe4I HTTP/1.1
> Host: jenkins.xyz.in
> User-Agent: curl/7.71.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< cache-control: no-cache, no-store, must-revalidate
< date: Wed, 13 Jan 2021 08:54:23 GMT
< content-length: 87
< content-type: text/plain; charset=utf-8
< x-envoy-upstream-service-time: 1
< server: istio-envoy
< 
* Connection #0 to host jenkins.xyz.in left intact
AoV9UtBq1rwPLDXWjrq85G5Peg_Z6rLKSZyYL_VfT4I.EZvkP5Fpi6EYc_-tWTQgvaQxrrbSr2MEJkuXJaywatk

我的设置是:

1. Istio Ingress load balancer running on node (192.168.14.118)
2. I am pointing my external IP and domain jenkins.xyz.in 
to 192.168.14.118 through an another load balancer

request -> public IP -> load balancer -> 192.168.14.118 

从外部可以正常工作.但是当我从节点本身/从群集内的pod尝试此操作时，我得到了:

From outside it works fine. but when I try this from node itself / from pod inside cluster I get :

$ curl -v http://jenkins.xyz.in/
* About to connect() to jenkins.xyz.in port 80 (#0)
*   Trying 103.66.96.201...

我已阅读过有关发夹

由于我的kubernetes节点IP和istio入口负载平衡器外部IP相同，因此请求可能正在循环.

Since my kubernetes node IP and the istio ingress loadbalacer external IPs are same, request might be looping.

额外:我在裸机上运行k8s

EXTRA: I am running k8s on bare metal

有什么解决办法吗?

推荐答案

我找到了解决方法.

由于我的节点无法访问URL(循环)，我向集群添加了另一个节点，并将Cert-Manager Pod关联性设置为新节点.

As my node was not able to access the URL (loop), I added another node to cluster and set Cert-Manager pods affinity to new node.

证书管理器能够从新节点访问URL.虽然不是一个好的解决方案，但对我有用.

Cert-Manager was able to access the URL from new node. Although not a good solution, but worked for me.

这篇关于等待HTTP-01挑战传播:无法执行自检GET请求-ISTIO的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！