堆栈内存溢出
  简体   繁体   English

通配符让我们使用 cert-manager、nginx 入口、kubernetes 中的 cloudflare 加密证书如何解决?

[英]Wildcard Let's Encrypt certificates with cert-manager, nginx ingress, cloudflare in kubernetes how to fix?

 原文  2019-04-13 02:57:08       kubernetes/ lets-encrypt/ kubernetes-ingress/ cert-manager

问题描述

I have Cloudflare DNS for manage my domain.我有 Cloudflare DNS 来管理我的域。 I created an A-record *.play.mydomain.com in Cloudflare.我在 Cloudflare 中创建了一个 A 记录 *.play.mydomain.com。

In Kubernetes (GKE) I created Issuer在 Kubernetes (GKE) 中,我创建了 Issuer

apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: letsencrypt-prod-wildcard
  namespace: default
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    #server: https://acme-v02.api.letsencrypt.org/directory
    email: myemain@gmail.com

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod-wildcard

    # ACME DNS-01 provider configurations
    dns01:

    challenges
      providers:
        - name: cf-dns
          cloudflare:
            email: myimail@gmail.com
            # A secretKeyRef to a cloudflare api key
            apiKeySecretRef:
              name: cloudflare-api-key
              key: api-key.txt

And I created secrets for cloudflare (cloudflare-api-key)我为 cloudflare 创建了秘密(cloudflare-api-key)

Also I created wildcard-certificate:我还创建了通配符证书:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: wildcard-mydomain-com
  namespace: default
spec:
  secretName: wildcard-mydomain-com
  issuerRef:
    #name: letsencrypt-staging-wildcard
    name: letsencrypt-prod-wildcard
  commonName: '*.play.mydomain.com'
  dnsNames:
  - play.mydomain.com
  acme:
    config:
    - dns01:
        provider: cf-dns
      domains:
      - '*.play.mydomain.com'
      - play.mydomain.com

Certificate generated successfully.证书生成成功。

Status:
  Conditions:
    Last Transition Time:  2019-04-13T00:49:00Z
    Message:               Certificate is up to date and has not expired
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2019-07-11T23:48:57Z
Events:
  Type    Reason              Age   From          Message
  ----    ------              ----  ----          -------
  Normal  Generated           4m5s  cert-manager  Generated new private key
  Normal  GenerateSelfSigned  4m5s  cert-manager  Generated temporary self signed certificate
  Normal  OrderCreated        4m5s  cert-manager  Created Order resource "wildcard-mydomain-com-880037411"
  Normal  OrderComplete       84s   cert-manager  Order "wildcard-mydomain-com-880037411" completed successfully
  Normal  CertIssued          84s   cert-manager  Certificate issued successfully

But in logs cert-manager I see an error:但是在日志 cert-manager 中我看到一个错误:

2019-04-13 04:49:00.078 GET
orders controller: Re-queuing item "default/wildcard-mydomain-com-880037411" due to error processing: challenges.certmanager.k8s.io "wildcard-mydomain-com-880037411-1" not found

Also I have an ingress:我还有一个入口:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-mydomain-com
  annotations:
    kubernetes.io/ingress.class: nginx
    certmanager.k8s.io/issuer: letsencrypt-prod-wildcard
    certmanager.k8s.io/acme-challenge-type: "dns01"
    kubernetes.io/tls-acme: "true"

spec:
  tls:
  - secretName: letsencrypt-prod-secret-playground
    hosts:
      - '*.play.mydomain.com'

  rules:
  - host: '*.play.mydomain.com'
    http:
      paths:
      - backend:
          serviceName: playground
          servicePort: 83

And an error in logs (after run ingress):以及日志中的错误(运行入口后):

2019-04-13 04:51:17.225 GET
orders controller: Re-queuing item "default/letsencrypt-prod-secret-playground-2579012660" due to error processing: Error constructing Challenge resource for Authorization: ACME server does not allow selected challenge type or no provider is configured for domain "play.mydomain.com"

How I can use wildcard certificates Let's Encrypt with cert-manager, nginx ingress, cloudflare in kubernetes?我如何使用通配符证书让我们在 kubernetes 中使用证书管理器、nginx 入口、cloudflare 进行加密?

I'd like to have ingress and launch many subdomains ([randomstring].play.mydomain.com).我想要进入并启动许多子域([randomstring].play.mydomain.com)。

2 个解决方案

解决方案1
 1  2019-04-13 05:38:43

It looks mostly correct a couple of issues I see我看到的几个问题看起来大多是正确的

  1. challenges keyword seems out of place in the Issuer . challenges关键字在Issuer似乎Issuer Maybe it was on purpose to explain(?)也许是故意解释(?)

     # ACME DNS-01 provider configurations dns01: providers: - name: cf-dns cloudflare: email: myimail@gmail.com # A secretKeyRef to a cloudflare api key apiKeySecretRef: name: cloudflare-api-key key: api-key.txt

  2. Missing kind: Issuer line within the issuerRef in your Certificate definition and dnsNames shows play.mydomain.com instead of *.play.mydomain.com (which could be the problem)缺少kind: Issuer您的Certificate定义和dnsNames中的issuerRef中的kind: Issuer行显示play.mydomain.com而不是*.play.mydomain.com (这可能是问题所在)

     apiVersion: certmanager.k8s.io/v1alpha1 kind: Certificate metadata: name: wildcard-mydomain-com namespace: default spec: secretName: wildcard-mydomain-com issuerRef: name: letsencrypt-prod-wildcard kind: Issuer commonName: '*.play.mydomain.com' dnsNames: - *.play.mydomain.com <== here acme: config: - dns01: provider: cf-dns domains: - '*.play.mydomain.com' - play.mydomain.com

解决方案2
 0  2021-07-21 20:35:11

Note : might require to first add the CAA record in DNS.注意:可能需要先在 DNS 中添加 CAA 记录。

CAA record can get added into DNS zone CAA 记录可以添加到 DNS 区域

example :例子

            Type       Value

devops.in   CAA       0 issuewild "letsencrypt.org"

secret storing access key秘密存储访问密钥

kubectl create secret generic route53-secret --from-literal=secret-access-key="skjdflk4598sf/dkfj490jdfg/dlfjk59lkj"

Here sharing the example issuer.yaml这里分享示例issuer.yaml

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: test123@gmail.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - selector:
        dnsZones:
          - "devops.in"
      dns01:
        route53:
          region: us-east-1
          hostedZoneID: Z2152140EXAMPLE
          accessKeyID: AKIA5A5D7EXAMPLE
          secretAccessKeySecretRef:
            name: route53-secret
            key: secret-access-key
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: le-crt
spec:
  secretName: tls-secret
  issuerRef: 
    kind: Issuer
    name: letsencrypt-prod
  commonName: "*.devops.in"
  dnsNames:
    - "*.devops.in"

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在 Kubernetes 和 nginx 入口上使用客户端证书身份验证时,如何修复 cert-manager 对 Let's Encrypt ACME 挑战的响应? - How to fix cert-manager responses to Let's Encrypt ACME challenges when using client certificate authentication on Kubernetes with nginx ingress? SSL 证书来自 Let's Encrypt 在您的 Kubernetes Ingress via cert-manager - SSL certificates from Let’s Encrypt in your Kubernetes Ingress via cert-manager 使用Cert-Manager,NGINX Ingress和Let&#39;s Encrypt为Kubernetes服务配置TLS / SSL - Configure TLS/SSL for Kubernetes Services using Cert-Manager, NGINX Ingress and Let’s Encrypt 如何使用来自 Let&#39;s Encrypt 的通配符证书和 cert-manager - How to use Wildcard certificates from Let’s Encrypt with cert-manager 证书管理器:让我们用 nginx 加密 HTTP01 挑战(没有入口) - cert-manager: Let's Encrypt HTTP01 challenge with nginx (without ingress) Kubernetes让加密证书管理器找不到错误密码 - Kubernetes Let's Encrypt cert-manager Error secret not found 如何在裸机集群上使用cert-manager自动在Kubernetes中加密证书更新? - How to automate Let's Encrypt certificate renewal in Kubernetes with cert-manager on a bare-metal cluster? 使用cert-manager istio ingress和LetsEncrypt在kubernetes中配置SSL证书 - Configure SSL certificates in kubernetes with cert-manager istio ingress and LetsEncrypt k8s 无法使用 cert-manager 为 GoDaddy 域生成 Let's Encrypt 证书 - k8s Unable to generate Let's Encrypt Certificates for GoDaddy Domains using cert-manager 证书管理器在升级到 AKS 1.20.7 后停止更新 Let'S Encrypt 证书 - Cert-manager stopped renewing Let'S Encrypt certificates after upgrading to AKS 1.20.7
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM