带有证书管理器和 Nginx 入口的 404 挑战响应
[英]404 challenge response with cert-manager and Nginx ingress
问题描述
I'm trying to get letsencrypt/cert-manager running via this Helm chart.
我正在尝试通过此Helm 图表运行letsencrypt/cert-manager 。 The K8s cluster is on Digital Ocean. K8s 集群在 Digital Ocean 上。
I successfully verified the installation as recommended and have created a ClusterIssuer for staging, and 1 for production.我成功地按照建议验证了安装,并为暂存创建了一个ClusterIssuer ,为生产创建了 1 个。 ( letsencrypt-staging , letsencrypt-prod ) ( letsencrypt-staging , letsencrypt-prod )
Problem: The acme challenge returns a 404 error.问题:acme 挑战返回 404 错误。
$ k get challenge -o wide
NAME STATE DOMAIN REASON AGE
myapp-cert-2315925673-2905389610-1118496475 pending myapp.example.com Waiting for http-01 challenge propagation: wrong status code '404', expected '200' 7m55s
The Ingress works fine with port 80 when the tls block commented out.当tls块被注释掉时,Ingress 在端口 80 上工作正常。 When I define tls however, requests on port 80 return a 404, which is probably why the challenge is failing.然而,当我定义tls时,端口 80 上的请求返回 404,这可能是挑战失败的原因。
Note: I get the same response when using my production ClusterIssuer .注意:使用我的生产ClusterIssuer时,我得到了相同的响应。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: myapp-ingress
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-staging
labels:
app: myapp
spec:
rules:
- host: myapp.example.com
http:
paths:
- backend:
serviceName: myapp
servicePort: 80
tls:
- hosts:
- myapp.example.com
secretName: myapp-cert
:: edited to add more configs :: :: 编辑以添加更多配置 ::
After adding more configs and logs as requested by @Tubc, it appears that Nginx is throwing an error when I update the ingress because the cert doesn't exist.按照@Tubc 的要求添加更多配置和日志后,由于证书不存在,当我更新入口时,Nginx 似乎抛出错误。
ClusterIssuer Manifests: ClusterIssuer 清单:
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: me@example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: me@example.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
Service Manifest:服务清单:
---
apiVersion: v1
kind: Service
metadata:
name: myapp
labels:
app: myapp
spec:
ports:
- port: 80
selector:
app: myapp
tier: fe
type: NodePort
Nginx log: Nginx 日志:
2019/12/08 14:45:44 [emerg] 62#62: cannot load certificate "/etc/nginx/secrets/default-myapp-cert": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) I1208 14:45:44.934644 1 event.go:209] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"myapp-ingress", UID:"610c3304-0565-415d-8cde-0863bf9325ca", APIVersion:"extensions/v1beta1", ResourceVersion:"319124", FieldPath:""}): type: 'Warning' reason: 'AddedOrUpdatedWithError' Configuration for default/myapp-ingress was added or updated, but not applied: Error reloading NGINX for default/myapp-ingress: nginx reload failed: Command /usr/sbin/nginx -s reload stdout: "" stderr: "nginx: [emerg] cannot load certificate \\"/etc/nginx/secrets/default-myapp-cert\\": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)\\n" finished with error: exit status 1
1 个解决方案
解决方案1
0 2019-12-08 17:51:56
Despite copying the docs, it turns out the annotation key on the Ingress was wrong.尽管复制了文档,但事实证明 Ingress 上的注释键是错误的。
It should be: certmanager.k8s.io/cluster-issuer (rather than cert-manager.io/cluster-issuer as documented)它应该是: certmanager.k8s.io/cluster-issuer (而不是所记录的cert-manager.io/cluster-issuer )
Upon making this change the 404 went away and the certificate was issued and configured properly.进行此更改后,404 消失,证书已正确颁发和配置。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.