[英]Kubernetes cert-manager not updating certificates after issuer change
I am using cert-manager 0.5.2 to manage Let's Encrypt certificates on our Kubernetes cluster. 我使用cert-manager 0.5.2在我们的Kubernetes集群上管理Let的加密证书。
I was using the Let's Encrypt staging environment, but have now moved to use their production certificates. 我使用的是Let's Encrypt暂存环境,但现在已经开始使用他们的生产证书了。 The problem is that my applications aren't updating to the new, valid certificates.
问题是我的应用程序没有更新到新的有效证书。
I must have screwed something up while updating the issuer, certificate, and ingress resources, but I can't see what. 在更新发行者,证书和入口资源时,我必须搞砸了一些东西,但我看不清楚是什么。 I have also reinstalled the NGINX ingress controller and cert-manager, and recreated my applications, but I am still getting old certificates.
我还重新安装了NGINX入口控制器和证书管理器,并重新创建了我的应用程序,但我仍然获得旧证书。 What can I do next?
我接下来该怎么办?
Describing the letsencrypt
cluster issuer: 描述
letsencrypt
集群发行者:
Name: letsencrypt
Namespace:
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"ClusterIssuer","metadata":{"annotations":{},"name":"letsencrypt","namespace":""},"spec":{"acme":{"e...
API Version: certmanager.k8s.io/v1alpha1
Kind: ClusterIssuer
Metadata:
Cluster Name:
Creation Timestamp: 2019-01-04T09:27:49Z
Generation: 0
Resource Version: 130088
Self Link: /apis/certmanager.k8s.io/v1alpha1/letsencrypt
UID: 00f0ea0f-1003-11e9-997f-ssh3b4bcc625
Spec:
Acme:
Email: administrator@domain.com
Http 01:
Private Key Secret Ref:
Key:
Name: letsencrypt
Server: https://acme-v02.api.letsencrypt.org/directory
Status:
Acme:
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/48899673
Conditions:
Last Transition Time: 2019-01-04T09:28:33Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
Describing the tls-secret
certificate: 描述
tls-secret
证书:
Name: tls-secret
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Certificate","metadata":{"annotations":{},"name":"tls-secret","namespace":"default"},"spec":{"acme"...
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Cluster Name:
Creation Timestamp: 2019-01-04T09:28:13Z
Resource Version: 130060
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/tls-secret
UID: 0f38w7y4-1003-11e9-997f-e6e9b4bcc625
Spec:
Acme:
Config:
Domains:
mydomain.com
Http 01:
Ingress Class: nginx
Dns Names:
mydomain.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt
Secret Name: tls-secret
Events: <none>
Describing the aks-ingress
ingress controller: 描述
aks-ingress
入口控制器:
Name: aks-ingress
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
TLS:
tls-secret terminates mydomain.com
Rules:
Host Path Backends
---- ---- --------
mydomain.com
/ myapplication:80 (<none>)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: ...
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /
certmanager.k8s.io/cluster-issuer: letsencrypt
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 21m nginx-ingress-controller Ingress default/aks-ingress
Normal CREATE 21m nginx-ingress-controller Ingress default/aks-ingress
Logs for cert-manager after restarting the server: 重新启动服务器后记录cert-manager:
I0104 09:28:38.378953 1 setup.go:144] Skipping re-verifying ACME account as cached registration details look sufficient.
I0104 09:28:38.379058 1 controller.go:154] clusterissuers controller: Finished processing work item "letsencrypt"
I0104 09:28:38.378953 1 setup.go:144] Skipping re-verifying ACME account as cached registration details look sufficient.
I0104 09:28:38.379058 1 controller.go:154] clusterissuers controller: Finished processing work item "letsencrypt"
I0104 09:28:38.378455 1 controller.go:140] clusterissuers controller: syncing item 'letsencrypt'
I0104 09:28:38.378455 1 controller.go:140] clusterissuers controller: syncing item 'letsencrypt'
I0104 09:28:33.440466 1 controller.go:185] certificates controller: Finished processing work item "default/tls-secret"
I0104 09:28:33.440417 1 sync.go:206] Certificate default/tls-secret scheduled for renewal in 1423 hours
I0104 09:28:33.440466 1 controller.go:185] certificates controller: Finished processing work item "default/tls-secret"
I0104 09:28:33.440417 1 sync.go:206] Certificate default/tls-secret scheduled for renewal in 1423 hours
I0104 09:28:33.439824 1 controller.go:171] certificates controller: syncing item 'default/tls-secret'
I0104 09:28:33.439824 1 controller.go:171] certificates controller: syncing item 'default/tls-secret'
I0104 09:28:33.377556 1 controller.go:154] clusterissuers controller: Finished processing work item "letsencrypt"
I0104 09:28:33.377556 1 controller.go:154] clusterissuers controller: Finished processing work item "letsencrypt"
I0104 09:28:33.359246 1 helpers.go:147] Setting lastTransitionTime for ClusterIssuer "letsencrypt" condition "Ready" to 2019-01-04 09:28:33.359214315 +0000 UTC m=+79.014291591
I0104 09:28:33.359178 1 setup.go:181] letsencrypt: verified existing registration with ACME server
I0104 09:28:33.359178 1 setup.go:181] letsencrypt: verified existing registration with ACME server
I0104 09:28:33.359246 1 helpers.go:147] Setting lastTransitionTime for ClusterIssuer "letsencrypt" condition "Ready" to 2019-01-04 09:28:33.359214315 +0000 UTC m=+79.014291591
I0104 09:28:32.427832 1 controller.go:140] clusterissuers controller: syncing item 'letsencrypt'
I0104 09:28:32.427978 1 controller.go:182] ingress-shim controller: Finished processing work item "default/aks-ingress"
I0104 09:28:32.427832 1 controller.go:140] clusterissuers controller: syncing item 'letsencrypt'
I0104 09:28:32.427832 1 controller.go:168] ingress-shim controller: syncing item 'default/aks-ingress'
I0104 09:28:32.428133 1 logger.go:88] Calling GetAccount
I0104 09:28:32.427936 1 sync.go:140] Certificate "tls-secret" for ingress "aks-ingress" already exists
I0104 09:28:32.427965 1 sync.go:143] Certificate "tls-secret" for ingress "aks-ingress" is up to date
I0104 09:28:32.427978 1 controller.go:182] ingress-shim controller: Finished processing work item "default/aks-ingress"
I0104 09:28:32.428133 1 logger.go:88] Calling GetAccount
I0104 09:28:32.427936 1 sync.go:140] Certificate "tls-secret" for ingress "aks-ingress" already exists
I0104 09:28:32.427832 1 controller.go:168] ingress-shim controller: syncing item 'default/aks-ingress'
I0104 09:28:32.427965 1 sync.go:143] Certificate "tls-secret" for ingress "aks-ingress" is up to date
I0104 09:28:29.439299 1 controller.go:171] certificates controller: syncing item 'default/tls-secret'
E0104 09:28:29.439586 1 controller.go:180] certificates controller: Re-queuing item "default/tls-secret" due to error processing: Issuer letsencrypt not ready
I0104 09:28:29.439404 1 sync.go:120] Issuer letsencrypt not ready
E0104 09:28:29.439586 1 controller.go:180] certificates controller: Re-queuing item "default/tls-secret" due to error processing: Issuer letsencrypt not ready
I0104 09:28:29.439299 1 controller.go:171] certificates controller: syncing item 'default/tls-secret'
I0104 09:28:29.439404 1 sync.go:120] Issuer letsencrypt not ready
I0104 09:28:27.404656 1 controller.go:68] Starting certificates controller
I0104 09:28:27.404606 1 controller.go:68] Starting issuers controller
I0104 09:28:27.404325 1 controller.go:68] Starting ingress-shim controller
I0104 09:28:27.404606 1 controller.go:68] Starting issuers controller
I0104 09:28:27.404325 1 controller.go:68] Starting ingress-shim controller
I0104 09:28:27.404269 1 controller.go:68] Starting clusterissuers controller
I0104 09:28:27.404656 1 controller.go:68] Starting certificates controller
I0104 09:28:27.404269 1 controller.go:68] Starting clusterissuers controller
I0104 09:28:27.402806 1 leaderelection.go:184] successfully acquired lease kube-system/cert-manager-controller
I0104 09:28:27.402806 1 leaderelection.go:184] successfully acquired lease kube-system/cert-manager-controller
I0104 09:27:14.359634 1 server.go:84] Listening on http://0.0.0.0:9402
I0104 09:27:14.357610 1 controller.go:126] Using the following nameservers for DNS01 checks: [10.0.0.10:53]
I0104 09:27:14.357610 1 controller.go:126] Using the following nameservers for DNS01 checks: [10.0.0.10:53]
I0104 09:27:14.358408 1 leaderelection.go:175] attempting to acquire leader lease kube-system/cert-manager-controller...
I0104 09:27:14.359634 1 server.go:84] Listening on http://0.0.0.0:9402
I0104 09:27:14.356692 1 start.go:79] starting cert-manager v0.5.2 (revision 9e8c3ad899c5aafaa360ca947eac7f5ba6301035)
I0104 09:27:14.358408 1 leaderelection.go:175] attempting to acquire leader lease kube-system/cert-manager-controller...
I0104 09:27:14.356692 1 start.go:79] starting cert-manager v0.5.2 (revision 9e8c3ad899c5aafaa360ca947eac7f5ba6301035)
Certificate resource: 证书资源:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: tls-secret
spec:
secretName: tls-secret
dnsNames:
- mydomain.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- mydomain.com
issuerRef:
name: letsencrypt
kind: ClusterIssuer
in this case the problem went away after recreating the secret and the cert-manager certificate resource. 在这种情况下,重新创建密钥和证书管理器证书资源后问题就消失了。
generally what you want to check, annotations on your ingress resource (certmanager.k8s.io/cluster-issuer: letsencrypt), cert-manager certificate resource, ssl certificate secret in k8s and in ingress resource 通常要检查的内容,入口资源上的注释(certmanager.k8s.io/cluster-issuer:letsencrypt),证书管理器证书资源,k8s和入口资源中的ssl证书机密
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.