如何通过证书管理器在Kubernetes中正确设置TLS? [英] How to setup TLS correctly in Kubernetes via cert-manager?
问题描述
我正在尝试为Kubernetes群集(AWS EKS)之外可用的服务设置TLS。使用cert-Manager,我已经成功地颁发了证书并配置了入口,但仍然收到错误NET::ERR_CERT_AUTHORITY_INVALID
。这是我所拥有的:
名称空间
tests
和hello-kubernetes
(部署和服务都有名称hello-kubernetes-first
,Servce是port
80和targetPort
8080的ClusterIP,部署基于paulbouwer/hello-kubernetes:1.8
,详情见我的previous question)配置为显示服务的dns和入口:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: hello-kubernetes-ingress namespace: tests spec: ingressClassName: nginx rules: - host: test3.projectname.org http: paths: - path: "/" pathType: Prefix backend: service: name: hello-kubernetes-first port: number: 80
在不配置TLS的情况下,我可以通过http访问test3.project tname.org并查看该服务(它尝试将我重定向到HTTPS,我看到
NET::ERR_CERT_AUTHORITY_INVALID
,我无论如何都会转到InSecure并看到Hello-Kubernetes页面)。注意:我有nginx-Enress入口控制器,它是通过下面的图表在我之前安装的:
apiVersion: v2 name: nginx description: A Helm chart for Kubernetes type: application version: 4.0.6 appVersion: "1.0.4" dependencies: - name: ingress-nginx version: 4.0.6 repository: https://kubernetes.github.io/ingress-nginx
与图表一起应用的值覆盖与original ones的主要不同之处在于
extraArgs
:default-ssl-certificate: "nginx-ingress/dragon-family-com"
是未分配的
证书管理器通过
安装kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.yaml
ClusterIssuer使用以下配置创建:
apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-backoffice spec: acme: server: https://acme-staging-v02.api.letsencrypt.org/directory # use https://acme-v02.api.letsencrypt.org/directory after everything is fixed and works privateKeySecretRef: # this secret is created in the namespace of cert-manager name: letsencrypt-backoffice-private-key # email: <will be used for urgent alerts about expiration etc> solvers: # TODO: add for each domain/second-level domain/*.projectname.org - selector: dnsZones: - test.projectname.org - test2.projectname.org - test3.projectname.org http01: ingress: class: nginx
命名空间中的证书。它的配置是
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: letsencrypt-certificate-31 namespace: tests spec: secretName: tls-secret-31 issuerRef: kind: ClusterIssuer name: letsencrypt-backoffice commonName: test3.projectname.org dnsNames: - test3.projectname.org
现在,证书已准备好(kubectl get certificates -n tests
说明),为了应用它,我将以下代码添加到入口的规范:
tls:
- hosts:
- test3.projectname.org
secretName: tls-secret-31
但是,当我尝试通过HTTPS打开test3.project tname.org时,它仍然显示NET::ERR_CERT_AUTHORITY_INVALID
错误。我做错了什么?如何调试?我已经查看了openssl s_client -connect test3.projectname.org:443 -prexit
*,它显示了如下链条:
0 s:CN = test3.projectname.org
i:C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3
1 s:C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3
i:C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
2 s:C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
i:C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Doctored Durian Root CA X3
和通知,以及其他输出
验证错误:无法获取本地颁发者证书
很遗憾,我还没有找到任何有用的东西可以进一步尝试,因此,如果有任何帮助,我们将不胜感激。
推荐答案
按照SYN的建议,我已通过
修复了此问题将ClusterIssuer配置中的ACME服务器从
https://acme-staging-v02.api.letsencrypt.org/directory
切换到https://acme-v02.api.letsencrypt.org/directory
。中间服务器的想法似乎是:允许调试证书发布(使kubectl get certificate [-n <namespace>]
显示READY
=true
),而不提供实际的可信证书;证书发布正常后,必须切换到主服务器获取生产证书。更新证书、TLS机密和入口配置。嗯,我不确定是否有一种方法可以真正更新证书;相反,我创建了新的证书,创建了新的机密,然后更新了入口配置(只是机密的名称)
这篇关于如何通过证书管理器在Kubernetes中正确设置TLS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!