我在 Kubernetes 集群上有一个由 cert-manager 管理的证书。它以前是通过 HTTP01 ACME 质询来更新/验证的,但由于安全限制(防火墙),现在不再可能了。我必须切换到 DNS01 ACME 质询(Cloudflare)。
我想我必须将我为此创建的发行者更改为letsencrypt-prod...letsencrypt-prod-cloudflare但我不能。我尝试过,kubectl patch但kubectl edit没有成功:
前:
$ kubectl get certificates.cert-manager.io tls-certificate -o=jsonpath='{.spec.issuerRef}' | jq
{
"group": "cert-manager.io",
"kind": "ClusterIssuer",
"name": "letsencrypt-prod"
}
尝试修补:
$ kubectl patch certificates.cert-manager.io tls-certificate -p '{"spec":{"issuerRef":{"name":"letsencrypt-prod-cloudflare"}}}'
Error from server (UnsupportedMediaType): the body of the request was in an unknown format - accepted media types include: application/json-patch+json, application/merge-patch+json, application/apply-patch+yaml
编辑似乎没有失败:
$ kubectl edit certificates.cert-manager.io tls-certificate
certificate.cert-manager.io/tls-certificate edited
...但证书仍然没有改变:
$ kubectl get certificates.cert-manager.io tls-certificate -o=jsonpath='{.spec.issuerRef}' | jq
{
"group": "cert-manager.io",
"kind": "ClusterIssuer",
"name": "letsencrypt-prod"
}
那么...关于如何从 HTTP01 切换到 DNS01,您有什么想法吗?谢谢!
答案1
我最终重新创建了证书。为了尽量减少停机时间,我这样做了:
export BACKUP_PATH=/some/path/on/your/computer/
# we assume the secret and the certificate have the same resource name, `tls-certificate` in this case
export CERT=tls-certificate
kubectl get certificates.cert-manager.io $CERT -o yaml > $BACKUP_PATH/$CERT-certificate.yaml
kubectl get secrets $CERT -o yaml > $BACKUP_PATH/$CERT-secret.yaml
cp $BACKUP_PATH/$CERT-certificate.yaml $BACKUP_PATH/$CERT-certificate.bak
vim $BACKUP_PATH/$CERT-certificate.yaml
(将 ClusterIssuer 更改为 DNS01;清理...)
kubectl delete certificates.cert-manager.io $CERT
kubectl delete secret $CERT
kubectl apply -f $BACKUP_PATH/$CERT-certificate.yaml
并且成功了!