我在 Rancher 论坛上回答过类似的问题,但没有成功:https://forums.rancher.com/t/rancher-2-x-ha-install-and-ssl-termination/12515/3
按照 Rancher Docs 进行 HA 安装时,会为负载均衡器提供一个示例 nginx 配置:https://rancher.com/docs/rancher/v2.x/en/installation/ha/create-nodes-lb/
使用 cert-manager 颁发证书时,cert-manager 无法访问众所周知的 http-01 检查来验证域所有权。我收到与 Rancher 论坛帖子中的 Yannick 相同的错误,我自己导航到众所周知的地址会导致 301 到 https(带有无效证书),因此响应不会加载。
接下来,我尝试添加一个单独的 nginx conf 位置块来将 /.well-known 地址和 proxy_pass 捕获到端口 80 上的 Rancher 服务器上的入口,但这会触发大量 301,直到 Chrome 将其阻止。
查看入口对象,似乎它也在监听 443,但是没有事件,因此也许它没有到达入口:
Name: cm-acme-http-solver-tr74p
Namespace: cattle-system
Address: x.x.x.x,x.x.x.y
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
rancher.mydomain.com
/.well-known/acme-challenge/Bf-oPbO34tgehadfI0k7Qsf_fza4rHUKC534easfO5TM cm-acme-http-solver-xnw4t:8089 (<none>)
Annotations:
field.cattle.io/publicEndpoints: [{"addresses":["x.x.x.x","x.x.x.y"],"port":80,"protocol":"HTTP","serviceName":"cattle-system:cm-acme-http-solver-xnw4t","ingressName":"cattle-system:cm-acme-http-solver-tr74p","hostname":"rancher.mydomain.com","path":"/.well-known/acme-challenge/Bf-oPbO6hy7DdfI0k7Qsf_fza4rHUKC575duPOfO5TM","allNodes":false}]
Events: <none>
Name: rancher
Namespace: cattle-system
Address: x.x.x.x,x.x.x.xy
Default backend: default-http-backend:80 (<none>)
TLS:
tls-rancher-ingress terminates rancher.mydomain.com
Rules:
Host Path Backends
---- ---- --------
rancher.mydomain.com
rancher:80 (<none>)
Annotations:
certmanager.k8s.io/issuer: rancher
field.cattle.io/publicEndpoints: [{"addresses":["x.x.x.x","x.x.xy"],"port":443,"protocol":"HTTPS","serviceName":"cattle-system:rancher","ingressName":"cattle-system:rancher","hostname":"rancher.mydomain.com","allNodes":false}]
nginx.ingress.kubernetes.io/proxy-connect-timeout: 30
nginx.ingress.kubernetes.io/proxy-read-timeout: 1800
nginx.ingress.kubernetes.io/proxy-send-timeout: 1800
Events: <none>
进一步深入入口,我发现了以下内容:
I0123 02:02:32.615026 7 controller.go:179] Backend successfully reloaded.
I0123 02:07:26.990283 7 event.go:218] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"cattle-system", Name:"rancher", UID:"a18cc766-1eb3-11e9-a3a4-9c8e9916e498", APIVersion:"extensions", ResourceVersion:"1347", FieldPath:""}): type: 'Normal' reason: 'CREATE' Ingress cattle-system/rancher
W0123 02:07:26.990427 7 backend_ssl.go:49] error obtaining PEM from secret cattle-system/tls-rancher-ingress: error retrieving secret cattle-system/tls-rancher-ingress: secret cattle-system/tls-rancher-ingress was not found
W0123 02:07:30.307510 7 controller.go:769] Service "cattle-system/rancher" does not have any active Endpoint.
W0123 02:07:30.307607 7 controller.go:1015] SSL certificate "cattle-system/tls-rancher-ingress" does not exist in local store.
I0123 02:07:30.307675 7 controller.go:169] Configuration changes detected, backend reload required.
似乎无法加载 tls 密钥。Rancher 提供了有关如何执行此操作的信息:https://rancher.com/docs/rancher/v2.x/en/installation/ha/helm-rancher/tls-secrets/但这似乎与使用 LE 和 cert-manager 与自带证书相反。
有人使用 Rancher 成功完成这项工作或者发现我遗漏了什么吗?