我有一个自托管的 Kubernetes 集群,其中有一个 Nginx Ingress。Cert-manager 也在集群上运行,我尝试使用 Letsencrypt 获取有效的 SSL 证书。一切正常,我获得了 example.com 的有效证书,www.example.com或 app1.example.com,但不是通用通配符 *.example.com。如果我尝试以任何方式在 sec.tls.hosts 下的入口处输入通配符,则不会为我生成证书。我得到的输出为
kubectl get certificate
NAME READY SECRET AGE
tls-test-cert False tls-electi-cert 20h
kubectl get CertificateRequest
NAME APPROVED DENIED READY ISSUER REQUESTOR AGE
tls-test-cert-8jw75 True False letsencrypt-staging system:serviceaccount:cert-manager:cert-manager 18m
kubectl describe CertificateRequest
[...]
Status:
Conditions:
Last Transition Time: 2022-02-27T13:54:38Z
Message: Certificate request has been approved by cert-manager.io
Reason: cert-manager.io
Status: True
Type: Approved
Last Transition Time: 2022-02-27T13:54:38Z
Message: Waiting on certificate issuance from order gateway/tls-test-cert-8jw75-1425588341: "pending"
Reason: Pending
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal cert-manager.io 18m cert-manager Certificate request has been approved by cert-manager.io
Normal OrderCreated 18m cert-manager Created Order resource gateway/tls-test-cert-8jw75-1425588341
Normal OrderPending 18m cert-manager Waiting on certificate issuance from order gateway/tls-test-cert-8jw75-1425588341: ""
我的 Nginx Ingress:(为了写这篇文章,我将我的域名换成了 example.com)
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-management
namespace: gateway
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-staging"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
ingressClassName: nginx
tls:
- secretName: tls-test-cert
hosts:
- example.com
- '*.example.com'
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: test-gateway
port:
number: 80
- host: '*.example.com'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: test-gateway
port:
number: 80
发行人:(我在这里删除了我的电子邮件)
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: *******
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
我的反向代理(测试网关)确实有效,并将所有子域转发到我的网站。提前感谢任何有关可能导致此问题的想法。
答案1
谢谢您的帮助,我解决了我的问题:
基本上,我必须找到一种新的方法,因为无法使用 http01 颁发通配符证书。(请参见此处:https://cert-manager.io/docs/configuration/acme/) 经过一番研究,我得出结论,使用 dns01 解析器最有意义。文档可在此处找到: https://cert-manager.io/docs/configuration/acme/dns01/
由于 dns01 的配置在很大程度上取决于您的 DNS 提供商,因此我不会在此处发布我的解决方案,但可以通过文档轻松找到有用的配置。