堆栈内存溢出
  简体   繁体   English

发行人更改后,Kubernetes证书经理不更新证书

[英]Kubernetes cert-manager not updating certificates after issuer change

 原文  2019-01-04 11:24:30       azure/ kubernetes/ azure-aks/ azure-kubernetes/ cert-manager

问题描述

I am using cert-manager 0.5.2 to manage Let's Encrypt certificates on our Kubernetes cluster. 我使用cert-manager 0.5.2在我们的Kubernetes集群上管理Let的加密证书。

I was using the Let's Encrypt staging environment, but have now moved to use their production certificates. 我使用的是Let's Encrypt暂存环境,但现在已经开始使用他们的生产证书了。 The problem is that my applications aren't updating to the new, valid certificates. 问题是我的应用程序没有更新到新的有效证书。

I must have screwed something up while updating the issuer, certificate, and ingress resources, but I can't see what. 在更新发行者,证书和入口资源时,我必须搞砸了一些东西,但我看不清楚是什么。 I have also reinstalled the NGINX ingress controller and cert-manager, and recreated my applications, but I am still getting old certificates. 我还重新安装了NGINX入口控制器和证书管理器,并重新创建了我的应用程序,但我仍然获得旧证书。 What can I do next? 我接下来该怎么办?

Describing the letsencrypt cluster issuer: 描述letsencrypt集群发行者: 

Name:         letsencrypt
Namespace:
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"ClusterIssuer","metadata":{"annotations":{},"name":"letsencrypt","namespace":""},"spec":{"acme":{"e...
API Version:  certmanager.k8s.io/v1alpha1
Kind:         ClusterIssuer
Metadata:
  Cluster Name:
  Creation Timestamp:  2019-01-04T09:27:49Z
  Generation:          0
  Resource Version:    130088
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/letsencrypt
  UID:                 00f0ea0f-1003-11e9-997f-ssh3b4bcc625
Spec:
  Acme:
    Email:  administrator@domain.com
    Http 01:
    Private Key Secret Ref:
      Key:
      Name:  letsencrypt
    Server:  https://acme-v02.api.letsencrypt.org/directory
Status:
  Acme:
    Uri:  https://acme-v02.api.letsencrypt.org/acme/acct/48899673
  Conditions:
    Last Transition Time:  2019-01-04T09:28:33Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

Describing the tls-secret certificate: 描述tls-secret证书: 

Name:         tls-secret
Namespace:    default
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Certificate","metadata":{"annotations":{},"name":"tls-secret","namespace":"default"},"spec":{"acme"...
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Cluster Name:
  Creation Timestamp:  2019-01-04T09:28:13Z
  Resource Version:    130060
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/tls-secret
  UID:                 0f38w7y4-1003-11e9-997f-e6e9b4bcc625
Spec:
  Acme:
    Config:
      Domains:
        mydomain.com
      Http 01:
        Ingress Class:  nginx
  Dns Names:
    mydomain.com
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt
  Secret Name:  tls-secret
Events:         <none>

Describing the aks-ingress ingress controller: 描述aks-ingress入口控制器: 

Name:             aks-ingress
Namespace:        default
Address:
Default backend:  default-http-backend:80 (<none>)
TLS:
  tls-secret terminates mydomain.com
Rules:
  Host                                                       Path  Backends
  ----                                                       ----  --------
  mydomain.com
                                                             /   myapplication:80 (<none>)
Annotations:
  kubectl.kubernetes.io/last-applied-configuration:   ...
  kubernetes.io/ingress.class:                 nginx
  nginx.ingress.kubernetes.io/rewrite-target:  /
  certmanager.k8s.io/cluster-issuer:           letsencrypt
Events:
  Type    Reason  Age   From                      Message
  ----    ------  ----  ----                      -------
  Normal  CREATE  21m   nginx-ingress-controller  Ingress default/aks-ingress
  Normal  CREATE  21m   nginx-ingress-controller  Ingress default/aks-ingress

Logs for cert-manager after restarting the server: 重新启动服务器后记录cert-manager: 

I0104 09:28:38.378953 1 setup.go:144] Skipping re-verifying ACME account as cached registration details look sufficient.    
I0104 09:28:38.379058 1 controller.go:154] clusterissuers controller: Finished processing work item "letsencrypt"   
I0104 09:28:38.378953 1 setup.go:144] Skipping re-verifying ACME account as cached registration details look sufficient.    
I0104 09:28:38.379058 1 controller.go:154] clusterissuers controller: Finished processing work item "letsencrypt"   
I0104 09:28:38.378455 1 controller.go:140] clusterissuers controller: syncing item 'letsencrypt'    
I0104 09:28:38.378455 1 controller.go:140] clusterissuers controller: syncing item 'letsencrypt'    
I0104 09:28:33.440466 1 controller.go:185] certificates controller: Finished processing work item "default/tls-secret"  
I0104 09:28:33.440417 1 sync.go:206] Certificate default/tls-secret scheduled for renewal in 1423 hours 
I0104 09:28:33.440466 1 controller.go:185] certificates controller: Finished processing work item "default/tls-secret"  
I0104 09:28:33.440417 1 sync.go:206] Certificate default/tls-secret scheduled for renewal in 1423 hours 
I0104 09:28:33.439824 1 controller.go:171] certificates controller: syncing item 'default/tls-secret'   
I0104 09:28:33.439824 1 controller.go:171] certificates controller: syncing item 'default/tls-secret'   
I0104 09:28:33.377556 1 controller.go:154] clusterissuers controller: Finished processing work item "letsencrypt"   
I0104 09:28:33.377556 1 controller.go:154] clusterissuers controller: Finished processing work item "letsencrypt"   
I0104 09:28:33.359246 1 helpers.go:147] Setting lastTransitionTime for ClusterIssuer "letsencrypt" condition "Ready" to 2019-01-04 09:28:33.359214315 +0000 UTC m=+79.014291591 
I0104 09:28:33.359178 1 setup.go:181] letsencrypt: verified existing registration with ACME server  
I0104 09:28:33.359178 1 setup.go:181] letsencrypt: verified existing registration with ACME server  
I0104 09:28:33.359246 1 helpers.go:147] Setting lastTransitionTime for ClusterIssuer "letsencrypt" condition "Ready" to 2019-01-04 09:28:33.359214315 +0000 UTC m=+79.014291591 
I0104 09:28:32.427832 1 controller.go:140] clusterissuers controller: syncing item 'letsencrypt'    
I0104 09:28:32.427978 1 controller.go:182] ingress-shim controller: Finished processing work item "default/aks-ingress" 
I0104 09:28:32.427832 1 controller.go:140] clusterissuers controller: syncing item 'letsencrypt'    
I0104 09:28:32.427832 1 controller.go:168] ingress-shim controller: syncing item 'default/aks-ingress'  
I0104 09:28:32.428133 1 logger.go:88] Calling GetAccount    
I0104 09:28:32.427936 1 sync.go:140] Certificate "tls-secret" for ingress "aks-ingress" already exists  
I0104 09:28:32.427965 1 sync.go:143] Certificate "tls-secret" for ingress "aks-ingress" is up to date   
I0104 09:28:32.427978 1 controller.go:182] ingress-shim controller: Finished processing work item "default/aks-ingress" 
I0104 09:28:32.428133 1 logger.go:88] Calling GetAccount    
I0104 09:28:32.427936 1 sync.go:140] Certificate "tls-secret" for ingress "aks-ingress" already exists  
I0104 09:28:32.427832 1 controller.go:168] ingress-shim controller: syncing item 'default/aks-ingress'  
I0104 09:28:32.427965 1 sync.go:143] Certificate "tls-secret" for ingress "aks-ingress" is up to date   
I0104 09:28:29.439299 1 controller.go:171] certificates controller: syncing item 'default/tls-secret'   
E0104 09:28:29.439586 1 controller.go:180] certificates controller: Re-queuing item "default/tls-secret" due to error processing: Issuer letsencrypt not ready  
I0104 09:28:29.439404 1 sync.go:120] Issuer letsencrypt not ready   
E0104 09:28:29.439586 1 controller.go:180] certificates controller: Re-queuing item "default/tls-secret" due to error processing: Issuer letsencrypt not ready  
I0104 09:28:29.439299 1 controller.go:171] certificates controller: syncing item 'default/tls-secret'   
I0104 09:28:29.439404 1 sync.go:120] Issuer letsencrypt not ready   
I0104 09:28:27.404656 1 controller.go:68] Starting certificates controller  
I0104 09:28:27.404606 1 controller.go:68] Starting issuers controller   
I0104 09:28:27.404325 1 controller.go:68] Starting ingress-shim controller  
I0104 09:28:27.404606 1 controller.go:68] Starting issuers controller   
I0104 09:28:27.404325 1 controller.go:68] Starting ingress-shim controller  
I0104 09:28:27.404269 1 controller.go:68] Starting clusterissuers controller    
I0104 09:28:27.404656 1 controller.go:68] Starting certificates controller  
I0104 09:28:27.404269 1 controller.go:68] Starting clusterissuers controller    
I0104 09:28:27.402806 1 leaderelection.go:184] successfully acquired lease kube-system/cert-manager-controller  
I0104 09:28:27.402806 1 leaderelection.go:184] successfully acquired lease kube-system/cert-manager-controller  
I0104 09:27:14.359634 1 server.go:84] Listening on http://0.0.0.0:9402  
I0104 09:27:14.357610 1 controller.go:126] Using the following nameservers for DNS01 checks: [10.0.0.10:53] 
I0104 09:27:14.357610 1 controller.go:126] Using the following nameservers for DNS01 checks: [10.0.0.10:53] 
I0104 09:27:14.358408 1 leaderelection.go:175] attempting to acquire leader lease kube-system/cert-manager-controller...    
I0104 09:27:14.359634 1 server.go:84] Listening on http://0.0.0.0:9402  
I0104 09:27:14.356692 1 start.go:79] starting cert-manager v0.5.2 (revision 9e8c3ad899c5aafaa360ca947eac7f5ba6301035)   
I0104 09:27:14.358408 1 leaderelection.go:175] attempting to acquire leader lease kube-system/cert-manager-controller...    
I0104 09:27:14.356692 1 start.go:79] starting cert-manager v0.5.2 (revision 9e8c3ad899c5aafaa360ca947eac7f5ba6301035)

Certificate resource: 证书资源: 

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: tls-secret
spec:
  secretName: tls-secret
  dnsNames:
  - mydomain.com
  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - mydomain.com
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer

1 个解决方案

解决方案1
 2 已采纳  2019-01-08 07:22:53

in this case the problem went away after recreating the secret and the cert-manager certificate resource. 在这种情况下,重新创建密钥和证书管理器证书资源后问题就消失了。

generally what you want to check, annotations on your ingress resource (certmanager.k8s.io/cluster-issuer: letsencrypt), cert-manager certificate resource, ssl certificate secret in k8s and in ingress resource 通常要检查的内容,入口资源上的注释(certmanager.k8s.io/cluster-issuer:letsencrypt),证书管理器证书资源,k8s和入口资源中的ssl证书机密

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用Cert-Manager,NGINX Ingress和Let&#39;s Encrypt为Kubernetes服务配置TLS / SSL - Configure TLS/SSL for Kubernetes Services using Cert-Manager, NGINX Ingress and Let’s Encrypt AKS 中的 Cert-manager ClusterIssuer 问题 - Issue with Cert-manager ClusterIssuer in AKS 在带有LetsEncrypt和多个证书的AKS上使用证书管理器 - Using cert-manager on AKS with LetsEncrypt and multiple certs 证书经理-我的证书的期限和续订过程 - cert manager - Duration and renewal process of my certificates 更新中间证书后使用NFe Web服务 - Consuming NFe webservice after updating the intermediate certificates 天蓝色证书(* .p12,* .cert)-Webjob - Certificates ( *.p12 , *.cert ) in azure - webjob Azure Traffic Manager和SSL证书 - Azure Traffic Manager and SSL Certificates Azure Traffic Manager使用我自己的SSL证书? - Azure Traffic Manager with my own SSL cert? ARM模板将多个证书指纹分配给WEBSITES_LOAD_CERTIFICATES - ARM Template assign multiple cert thumbprint to WEBSITES_LOAD_CERTIFICATES 在Kubernetes中使用Certbot(作为CronJob)生成证书 - Generating Certificates using Certbot (as a CronJob) within Kubernetes
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM