[英]Kubernetes Cert-Manager can't get http01 ACME challange to work
Hello I m struggling to get the Cert-Manager work with let'sencrypt on my Azure AKS to secure and asp.net core web app.您好,我正在努力让 Cert-Manager 与我的 Azure AKS 上的 let'sencrypt 一起工作,以保护和 asp.net 核心 web 应用程序。
I have a ClusterIssuer like that:我有一个这样的 ClusterIssuer:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencryptstaging-issuer
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: letsencryptstaging@prodibi.com
privateKeySecretRef:
name: letsencryptstaging-secret
solvers:
- http01:
ingress:
class: nginx
and I request a certificate like that:我要求这样的证书:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: aks-prodibiv2-com-staging
spec:
secretName: aks-prodibiv2-com-staging-secret
duration: 2160h
renewBefore: 480h
organization:
- prodibiv2
dnsNames:
- aks.prodibiv2.com
issuerRef:
name: letsencryptstaging-issuer
kind: ClusterIssuer
I also have added the annotations to the ingress controller I would like to use我还将注释添加到我想使用的入口 controller
certmanager.k8s.io/acme-challenge-type: http01
certmanager.k8s.io/cluster-issuer: letsencryptstaging-issuer
In the following screenshot we can see that the certificate request is "Waiting to complete" We can see also that we have two ingress controller and the one for the challenge seems to not have an IP, and the domain is pointing to the ingress-prodibiweb在下面的屏幕截图中,我们可以看到证书请求是“等待完成”我们还可以看到我们有两个入口 controller,挑战的一个似乎没有 IP,并且域指向 ingress-prodibiweb
if I try to put the domain in front of the.well-known path I get a 404 not found error.如果我尝试将域放在.well-known 路径的前面,我会收到 404 not found 错误。
So my guess is that the cert-manager is not configured properly to use the ingress-prodibiweb (that point to asp.net core webapp) or something like that.所以我的猜测是 cert-manager 没有正确配置为使用 ingress-prodibiweb(指向 asp.net 核心 webapp)或类似的东西。 Any idea on what can I try to get it working?
关于我可以尝试什么让它工作的任何想法?
- http01:
ingress:
class: nginx
Anddns01 also a solution to request SSL.而dns01也是请求SSL的解决方案。 You can give it a try if you have enough permissions.
如果您有足够的权限,可以尝试一下。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.