[英]Wildcard Let's Encrypt certificates with cert-manager, nginx ingress, cloudflare in kubernetes how to fix?
I have Cloudflare DNS for manage my domain.我有 Cloudflare DNS 来管理我的域。 I created an A-record *.play.mydomain.com in Cloudflare.
我在 Cloudflare 中创建了一个 A 记录 *.play.mydomain.com。
In Kubernetes (GKE) I created Issuer在 Kubernetes (GKE) 中,我创建了 Issuer
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-prod-wildcard
namespace: default
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
#server: https://acme-v02.api.letsencrypt.org/directory
email: myemain@gmail.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod-wildcard
# ACME DNS-01 provider configurations
dns01:
challenges
providers:
- name: cf-dns
cloudflare:
email: myimail@gmail.com
# A secretKeyRef to a cloudflare api key
apiKeySecretRef:
name: cloudflare-api-key
key: api-key.txt
And I created secrets for cloudflare (cloudflare-api-key)我为 cloudflare 创建了秘密(cloudflare-api-key)
Also I created wildcard-certificate:我还创建了通配符证书:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: wildcard-mydomain-com
namespace: default
spec:
secretName: wildcard-mydomain-com
issuerRef:
#name: letsencrypt-staging-wildcard
name: letsencrypt-prod-wildcard
commonName: '*.play.mydomain.com'
dnsNames:
- play.mydomain.com
acme:
config:
- dns01:
provider: cf-dns
domains:
- '*.play.mydomain.com'
- play.mydomain.com
Certificate generated successfully.证书生成成功。
Status:
Conditions:
Last Transition Time: 2019-04-13T00:49:00Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2019-07-11T23:48:57Z
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Generated 4m5s cert-manager Generated new private key
Normal GenerateSelfSigned 4m5s cert-manager Generated temporary self signed certificate
Normal OrderCreated 4m5s cert-manager Created Order resource "wildcard-mydomain-com-880037411"
Normal OrderComplete 84s cert-manager Order "wildcard-mydomain-com-880037411" completed successfully
Normal CertIssued 84s cert-manager Certificate issued successfully
But in logs cert-manager I see an error:但是在日志 cert-manager 中我看到一个错误:
2019-04-13 04:49:00.078 GET
orders controller: Re-queuing item "default/wildcard-mydomain-com-880037411" due to error processing: challenges.certmanager.k8s.io "wildcard-mydomain-com-880037411-1" not found
Also I have an ingress:我还有一个入口:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-mydomain-com
annotations:
kubernetes.io/ingress.class: nginx
certmanager.k8s.io/issuer: letsencrypt-prod-wildcard
certmanager.k8s.io/acme-challenge-type: "dns01"
kubernetes.io/tls-acme: "true"
spec:
tls:
- secretName: letsencrypt-prod-secret-playground
hosts:
- '*.play.mydomain.com'
rules:
- host: '*.play.mydomain.com'
http:
paths:
- backend:
serviceName: playground
servicePort: 83
And an error in logs (after run ingress):以及日志中的错误(运行入口后):
2019-04-13 04:51:17.225 GET
orders controller: Re-queuing item "default/letsencrypt-prod-secret-playground-2579012660" due to error processing: Error constructing Challenge resource for Authorization: ACME server does not allow selected challenge type or no provider is configured for domain "play.mydomain.com"
How I can use wildcard certificates Let's Encrypt with cert-manager, nginx ingress, cloudflare in kubernetes?我如何使用通配符证书让我们在 kubernetes 中使用证书管理器、nginx 入口、cloudflare 进行加密?
I'd like to have ingress and launch many subdomains ([randomstring].play.mydomain.com).我想要进入并启动许多子域([randomstring].play.mydomain.com)。
It looks mostly correct a couple of issues I see我看到的几个问题看起来大多是正确的
challenges
keyword seems out of place in the Issuer
. challenges
关键字在Issuer
似乎Issuer
。 Maybe it was on purpose to explain(?)也许是故意解释(?)
# ACME DNS-01 provider configurations dns01: providers: - name: cf-dns cloudflare: email: myimail@gmail.com # A secretKeyRef to a cloudflare api key apiKeySecretRef: name: cloudflare-api-key key: api-key.txt
Missing kind: Issuer
line within the issuerRef
in your Certificate
definition and dnsNames
shows play.mydomain.com
instead of *.play.mydomain.com
(which could be the problem)缺少
kind: Issuer
您的Certificate
定义和dnsNames
中的issuerRef
中的kind: Issuer
行显示play.mydomain.com
而不是*.play.mydomain.com
(这可能是问题所在)
apiVersion: certmanager.k8s.io/v1alpha1 kind: Certificate metadata: name: wildcard-mydomain-com namespace: default spec: secretName: wildcard-mydomain-com issuerRef: name: letsencrypt-prod-wildcard kind: Issuer commonName: '*.play.mydomain.com' dnsNames: - *.play.mydomain.com <== here acme: config: - dns01: provider: cf-dns domains: - '*.play.mydomain.com' - play.mydomain.com
Note : might require to first add the CAA record in DNS.注意:可能需要先在 DNS 中添加 CAA 记录。
CAA record can get added into DNS zone CAA 记录可以添加到 DNS 区域
example :例子:
Type Value
devops.in CAA 0 issuewild "letsencrypt.org"
secret storing access key秘密存储访问密钥
kubectl create secret generic route53-secret --from-literal=secret-access-key="skjdflk4598sf/dkfj490jdfg/dlfjk59lkj"
Here sharing the example issuer.yaml
这里分享示例
issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: test123@gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- selector:
dnsZones:
- "devops.in"
dns01:
route53:
region: us-east-1
hostedZoneID: Z2152140EXAMPLE
accessKeyID: AKIA5A5D7EXAMPLE
secretAccessKeySecretRef:
name: route53-secret
key: secret-access-key
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: le-crt
spec:
secretName: tls-secret
issuerRef:
kind: Issuer
name: letsencrypt-prod
commonName: "*.devops.in"
dnsNames:
- "*.devops.in"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.