带有 Cert Manager 和 letsencrypt 的 Kubernetes Nginx Ingress 不允许域名中使用通配符

带有 Cert Manager 和 letsencrypt 的 Kubernetes Nginx Ingress 不允许域名中使用通配符

我有一个自托管的 Kubernetes 集群,其中有一个 Nginx Ingress。Cert-manager 也在集群上运行,我尝试使用 Letsencrypt 获取有效的 SSL 证书。一切正常,我获得了 example.com 的有效证书,www.example.com或 app1.example.com,但不是通用通配符 *.example.com。如果我尝试以任何方式在 sec.tls.hosts 下的入口处输入通配符,则不会为我生成证书。我得到的输出为

kubectl get certificate

NAME              READY   SECRET            AGE
tls-test-cert     False   tls-electi-cert   20h

kubectl get CertificateRequest

NAME                    APPROVED   DENIED   READY   ISSUER                REQUESTOR                                         AGE
tls-test-cert-8jw75     True                False   letsencrypt-staging   system:serviceaccount:cert-manager:cert-manager   18m

kubectl describe CertificateRequest

[...]
Status:
  Conditions:
    Last Transition Time:  2022-02-27T13:54:38Z
    Message:               Certificate request has been approved by cert-manager.io
    Reason:                cert-manager.io
    Status:                True
    Type:                  Approved
    Last Transition Time:  2022-02-27T13:54:38Z
    Message:               Waiting on certificate issuance from order gateway/tls-test-cert-8jw75-1425588341: "pending"
    Reason:                Pending
    Status:                False
    Type:                  Ready
Events:
  Type    Reason           Age   From          Message
  ----    ------           ----  ----          -------
  Normal  cert-manager.io  18m   cert-manager  Certificate request has been approved by cert-manager.io
  Normal  OrderCreated     18m   cert-manager  Created Order resource gateway/tls-test-cert-8jw75-1425588341
  Normal  OrderPending     18m   cert-manager  Waiting on certificate issuance from order gateway/tls-test-cert-8jw75-1425588341: ""

我的 Nginx Ingress:(为了写这篇文章,我将我的域名换成了 example.com)

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-management
  namespace: gateway
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-staging"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
  ingressClassName: nginx
  tls:
  - secretName: tls-test-cert
    hosts:
      - example.com
      - '*.example.com'
  rules:
    - host: example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: test-gateway
                port:
                  number: 80
    - host: '*.example.com'
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: test-gateway
                port:
                  number: 80

发行人:(我在这里删除了我的电子邮件)

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
  namespace: cert-manager
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: *******
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
      - http01:
          ingress:
            class: nginx

我的反向代理(测试网关)确实有效,并将所有子域转发到我的网站。提前感谢任何有关可能导致此问题的想法。

答案1

谢谢您的帮助,我解决了我的问题:

基本上,我必须找到一种新的方法,因为无法使用 http01 颁发通配符证书。(请参见此处:https://cert-manager.io/docs/configuration/acme/) 经过一番研究,我得出结论,使用 dns01 解析器最有意义。文档可在此处找到: https://cert-manager.io/docs/configuration/acme/dns01/

由于 dns01 的配置在很大程度上取决于您的 DNS 提供商,因此我不会在此处发布我的解决方案,但可以通过文档轻松找到有用的配置。

相关内容