提前致歉,这可能是我的误解,但就我而言,我无法理解为什么 cert-manager 尝试按照说明写入主区域而不是子区域
我目前的想法是,cert-manager 忽略了 CNAME 并尝试直接写入主要区域
什么不起作用
- cert-manager 在 test.acme.example.org 中为 test.example.org 创建证书
正在做什么
- 对 example.org 和 acme.example.org 的 DNS 查询
nsupdate -k updates.key
通过acme.example.org添加记录- cert-manager 为 test.acme.example.org 创建证书
检查了什么
- 确认 cert-manager 正在使用正确的“内部”视图等,因此仅显示这些项目
注意 updates.key 是通过tsig-keygen updates.key > updates.key
Bind9——Named.conf.local
view "internal" {
#Global View Settings
match-clients { !testingip; internals; };
recursion yes;
allow-query { any; };
#Internal for our Primary Zone
zone "example.org." IN {
type primary;
file "zones/int/db.example.org";
allow-transfer { key ns1-ns2.key; };
notify explicit;
also-notify { 10.8.23.74; };
check-names warn;
#update-policy { grant updates.key subdomain acme.example.org any; };
allow-update { none; };
};
#For LetsEncrypt
zone "acme.example.org." IN {
type primary;
file "zones/common/db.acme.example.org";
allow-update { key updates.key; };
allow-transfer { key ns1-ns2.key; };
notify explicit;
also-notify { 10.8.23.74; };
allow-query { any; };
};
};
/etc/bind/zones/int/db.example.org
$ORIGIN example.org.
$TTL 86400 ; 1 day
@ IN SOA ns1.example.org. admin.example.org. (
64 ; serial
43200 ; refresh (12 hours)
7200 ; retry (2 hours)
1209600 ; expire (2 weeks)
43200 ; minimum (12 hours)
)
NS ns1.example.org.
NS ns2.example.org.
_acme-challenge IN CNAME _acme-challenge.acme.example.org.
_acme-challenge.www IN CNAME _acme-challenge.acme.example.org.
acme NS ns1.example.org.
ns1 A 10.8.23.73
ns2 A 10.8.23.74
test A 10.8.23.71
/etc/zones/common/db.acme.example.org
$ORIGIN .
$TTL 86400 ; 1 day
acme.example.uk IN SOA ns1.example.org. admin.example.org. (
89 ; serial
43200 ; refresh (12 hours)
7200 ; retry (2 hours)
1209600 ; expire (2 weeks)
43200 ; minimum (12 hours)
)
NS ns1.example.org
NS ns2.example.org
$ORIGIN acme.example.org
test A 8.8.8.8
test2 CNAME test
test5 A 1.1.1.1
Kubernetes 配置
#Issuer
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: example.org-issuer
namespace: cert-manager
spec:
acme:
email: [email protected]
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: exampleorg-issuer-account-key
solvers:
- dns01:
cnameStrategy: Follow
rfc2136:
nameserver: 10.8.23.73
tsigKeyName: updates.key
tsigAlgorithm: HMACSHA256
tsigSecretSecretRef:
name: dns-updates-key
key: tsig-secret-key
selector:
dnsZones:
- 'example.org'
#Certificate that wont work
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: www-example-org
namespace: cert-manager
spec:
secretName: www-example-org-tls
issuerRef:
name: example.org-issuer
kind: Issuer
commonName: 'www.example.org'
dnsNames:
- 'www.example.org'
#Certificate that works
microk8s kubectl apply -f - << EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: acme-example-org
namespace: cert-manager
spec:
secretName: acme-example-org-tls
issuerRef:
name: example.org-issuer
kind: Issuer
commonName: 'www.acme.example.org'
dnsNames:
- 'www.acme.example.org'
EOF
错误
#Kubernetes Error
controller.go:167] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="DNS update failed. Server replied: REFUSED" "key"="cert-manager/www-example-org-zwrzv-1914768330-2709226250"
#Bind Confirm
24-Mar-2023 18:14:15.232 client @0x7f38b0002108 10.1.76.188#38695: view internal: using view 'internal'
24-Mar-2023 18:14:15.232 client @0x7f38b0002108 10.1.76.188#38695: view internal: request has valid signature: updates.key
24-Mar-2023 18:14:15.232 client @0x7f38b0002108 10.1.76.188#38695/key updates.key: view internal: recursion available
24-Mar-2023 18:14:15.232 client @0x7f38b0002108 10.1.76.188#38695/key updates.key: view internal: updating zone 'example.org/IN': prerequisites are OK
24-Mar-2023 18:14:15.232 client @0x7f38b0002108 10.1.76.188#38695/key updates.key: view internal: set ede: info-code 18 extra-text (null)
24-Mar-2023 18:14:15.232 client @0x7f38b0002108 10.1.76.188#38695/key updates.key: view internal: signer "updates.key" denied
24-Mar-2023 18:14:15.232 client @0x7f38b0002108 10.1.76.188#38695/key updates.key: view internal: update 'example.org/IN' denied
24-Mar-2023 18:14:15.232 client @0x7f38b0002108 10.1.76.188#38695/key updates.key: view internal: updating zone 'example.org/IN': rolling back
24-Mar-2023 18:14:15.232 client @0x7f38b0002108 10.1.76.188#38695/key updates.key: view internal: reset client
版本 绑定 9.18 证书管理器 1.11.0
答案1
我离开了,16 小时后回来,发现那里有一张证书......