如何测试 ClusterIssuer 求解器? [英] How do I test a ClusterIssuer solver?
问题描述
我正在尝试在 DigitalOcean 上使用 LetsEncrypt 部署带有 SSL 证书的 Kubernetes 集群.我跟着 这些说明,并且一切正常,直到 ClusterIssuer 创建挑战订单.然后我得到这个错误:
I'm attempting to deploy a Kubernetes cluster with an SSL certificate using LetsEncrypt on DigitalOcean. I followed these instructions, and everything works right up until the challenge order is created by the ClusterIssuer. Then I get this error:
cert-manager/controller/orders "msg"="Failed to determine the list of Challenge resources needed for the Order" "error"="no configured challenge solvers can be used for this challenge" "resource_kind"="Order" "resource_name"="letsencrypt-prod-cert-458163912-1173127706"
我已经尝试过使用 http 并尝试配置 DigitalOcean 的 dns01 解析器,但都不起作用,并且出现了类似的错误.该站点通过 ip 和 dns 名称上线(尽管我收到了 no-ssl 证书警告).这是 ClusterIssuer 描述:
I've tried it both with http, and trying to configure DigitalOcean's dns01 resolver, but neither work, and with a similar error. The site is live by ip, by dns name (though I get the no-ssl cert warning). This is the ClusterIssuer description:
Name: letsencrypt-issuer
Namespace:
Labels: app/instance=webapp
app/managed-by=Tiller
app/name=webapp
app/version=0.1.0
helm.sh/chart=webapp-0.1.0
Annotations: cert-manager.io/cluster-issuer: letsencrypt-issuer
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: true
API Version: cert-manager.io/v1alpha2
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2019-10-16T23:24:47Z
Generation: 2
Resource Version: 10300992
Self Link: /apis/cert-manager.io/v1alpha2/clusterissuers/letsencrypt-issuer
UID: 2ee08cd4-5781-4126-9e6d-6b9d108a1eb2
Spec:
Acme:
Email: <redacted>
Private Key Secret Ref:
Name: letsencrypt-prod-cert
Server: https://acme-v02.api.letsencrypt.org/directory
Status:
Acme:
Last Registered Email: <redacted>
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/69503670
Conditions:
Last Transition Time: 2019-10-16T23:24:48Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
有没有办法查看求解器本身以验证它们的配置是否正确?有没有办法锻炼它们来证明它们有效?有没有其他方法可以诊断出这种情况?我完全被困住了,因为似乎没有很多在线支持?
Is there a way to see the solvers themselves to validate they're configured correctly? Is there a way to exercise them to prove they work? Is there some other way to diagnose what the situation is? I'm completely stuck, as there doesn't seem to be a lot of support online for this?
推荐答案
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: certificate-name
spec:
secretName: tls-cert
duration: 24h
renewBefore: 12h
commonName: hostname
dnsNames:
- hostname
issuerRef:
name: letsencrypt
kind: ClusterIssuer
apiVersion: certmanager.k8s.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
email: myemail@email.com
privateKeySecretRef:
name: letsencrypt-private-key
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: nginx
selector: {}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
certmanager.k8s.io/acme-challenge-type: http01
certmanager.k8s.io/cluster-issuer: letsencrypt
name: ingress-rule
namespace: default
spec:
rules:
- host: hostname
http:
paths:
- backend:
serviceName: backend-service
servicePort: 8080
tls:
- hosts:
- hostname
secretName: tls-cert
上面引用的方法对我有用,tls-cert 是在预期的命名空间中自动生成的,密钥和证书都是.为此,您应该将 nginx 负载均衡器的 IP 指向 DNS
The above cited approach worked for me, tls-cert is automatically generated in the intended namespace, the key and certificate both. For this to happen, you should point the IP of nginx loadbalancer to DNS
它对我有用,acme 挑战将得到自动测试,一旦完成,证书会将其状态从 false 更改为 true
It worked for me, the acme challenge will get auto tested and the certificate will change it status from false to true, once this gets done
这篇关于如何测试 ClusterIssuer 求解器?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
