K8S Cert-manager 不会为权限较低的子区域中的主要区域添加 DNS01 RFC2136 挑战(DNS REFUSED)

tag-icon tag-icon bind kubernetes
K8S Cert-manager 不会为权限较低的子区域中的主要区域添加 DNS01 RFC2136 挑战(DNS REFUSED)

提前致歉,这可能是我的误解,但就我而言,我无法理解为什么 cert-manager 尝试按照说明写入主区域而不是子区域

Cert-manager 中的委托区域

我目前的想法是,cert-manager 忽略了 CNAME 并尝试直接写入主要区域

什么不起作用

  • cert-manager 在 test.acme.example.org 中为 test.example.org 创建证书

正在做什么

  • 对 example.org 和 acme.example.org 的 DNS 查询
  • nsupdate -k updates.key通过acme.example.org添加记录
  • cert-manager 为 test.acme.example.org 创建证书

检查了什么

  • 确认 cert-manager 正在使用正确的“内部”视图等,因此仅显示这些项目

注意 updates.key 是通过tsig-keygen updates.key > updates.key

Bind9——Named.conf.local

view "internal" {
  #Global View Settings
  match-clients { !testingip; internals; };
  recursion yes;
  allow-query { any; };

  #Internal for our Primary Zone  
  zone "example.org." IN {
    type primary;
    file "zones/int/db.example.org";
    allow-transfer { key ns1-ns2.key; };
    notify explicit;
    also-notify { 10.8.23.74; };
    check-names warn;
    #update-policy { grant updates.key subdomain acme.example.org any; };
    allow-update { none; };
  };

  #For LetsEncrypt
  zone "acme.example.org." IN {
    type primary;
    file "zones/common/db.acme.example.org";
    allow-update { key updates.key; };
    allow-transfer { key ns1-ns2.key; };
    notify explicit;
    also-notify { 10.8.23.74; };
    allow-query { any; };
  };
};

/etc/bind/zones/int/db.example.org

$ORIGIN example.org.
$TTL 86400      ; 1 day
@                       IN SOA  ns1.example.org. admin.example.org. (
                                64         ; serial
                                43200      ; refresh (12 hours)
                                7200       ; retry (2 hours)
                                1209600    ; expire (2 weeks)
                                43200      ; minimum (12 hours)
                                )
                        NS      ns1.example.org.
                        NS      ns2.example.org.
_acme-challenge      IN  CNAME   _acme-challenge.acme.example.org.
_acme-challenge.www  IN  CNAME   _acme-challenge.acme.example.org.
acme                    NS      ns1.example.org.
ns1                     A       10.8.23.73
ns2                     A       10.8.23.74
test                    A       10.8.23.71

/etc/zones/common/db.acme.example.org

$ORIGIN .
$TTL 86400      ; 1 day
acme.example.uk         IN SOA  ns1.example.org. admin.example.org. (
                                89         ; serial
                                43200      ; refresh (12 hours)
                                7200       ; retry (2 hours)
                                1209600    ; expire (2 weeks)
                                43200      ; minimum (12 hours)
                                )
                        NS      ns1.example.org
                        NS      ns2.example.org
$ORIGIN acme.example.org
test                    A       8.8.8.8
test2                   CNAME   test
test5                   A       1.1.1.1

Kubernetes 配置

#Issuer
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: example.org-issuer
  namespace: cert-manager
spec:
  acme:
    email: [email protected]
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: exampleorg-issuer-account-key
    solvers:
    - dns01:
        cnameStrategy: Follow
        rfc2136:
          nameserver: 10.8.23.73
          tsigKeyName: updates.key
          tsigAlgorithm: HMACSHA256
          tsigSecretSecretRef:
            name: dns-updates-key
            key: tsig-secret-key
      selector:
        dnsZones:
        - 'example.org'
        
#Certificate that wont work       
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: www-example-org
  namespace: cert-manager
spec:
  secretName: www-example-org-tls
  issuerRef:
    name: example.org-issuer
    kind: Issuer
  commonName: 'www.example.org'
  dnsNames:
    - 'www.example.org'
    
#Certificate that works
microk8s kubectl apply -f - << EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: acme-example-org
  namespace: cert-manager
spec:
  secretName: acme-example-org-tls
  issuerRef:
    name: example.org-issuer
    kind: Issuer
  commonName: 'www.acme.example.org'
  dnsNames:
    - 'www.acme.example.org'
EOF

错误

#Kubernetes Error
controller.go:167] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="DNS update failed. Server replied: REFUSED" "key"="cert-manager/www-example-org-zwrzv-1914768330-2709226250"

#Bind Confirm
24-Mar-2023 18:14:15.232 client @0x7f38b0002108 10.1.76.188#38695: view internal: using view 'internal'
24-Mar-2023 18:14:15.232 client @0x7f38b0002108 10.1.76.188#38695: view internal: request has valid signature: updates.key
24-Mar-2023 18:14:15.232 client @0x7f38b0002108 10.1.76.188#38695/key updates.key: view internal: recursion available
24-Mar-2023 18:14:15.232 client @0x7f38b0002108 10.1.76.188#38695/key updates.key: view internal: updating zone 'example.org/IN': prerequisites are OK
24-Mar-2023 18:14:15.232 client @0x7f38b0002108 10.1.76.188#38695/key updates.key: view internal: set ede: info-code 18 extra-text (null)
24-Mar-2023 18:14:15.232 client @0x7f38b0002108 10.1.76.188#38695/key updates.key: view internal: signer "updates.key" denied
24-Mar-2023 18:14:15.232 client @0x7f38b0002108 10.1.76.188#38695/key updates.key: view internal: update 'example.org/IN' denied
24-Mar-2023 18:14:15.232 client @0x7f38b0002108 10.1.76.188#38695/key updates.key: view internal: updating zone 'example.org/IN': rolling back
24-Mar-2023 18:14:15.232 client @0x7f38b0002108 10.1.76.188#38695/key updates.key: view internal: reset client

版本 绑定 9.18 证书管理器 1.11.0

答案1

我离开了,16 小时后回来,发现那里有一张证书......

相关内容