堆栈内存溢出
  简体   繁体   English

Kube.netes 挑战等待 http-01 传播:拨打 tcp:没有这样的主机

[英]Kubernetes challenge waiting for http-01 propagation: dial tcp: no such host

 原文  2020-06-15 14:15:59       azure/ kubernetes

问题描述

I am trying to create a kube.netes cluster namespace with auto generated DNS for ingress, secured with Let's Encrypt TLS certificates.我正在尝试使用自动生成的 DNS 为入口创建一个 kube.netes 集群命名空间,并使用Let's Encrypt TLS 证书进行保护。 Unfortunately i'm running in some trouble and do not know where to look for the solution.不幸的是,我遇到了一些麻烦,不知道去哪里寻找解决方案。

Deployment is being done with a multi-stage yaml pipeline into an AKS cluster, i've setup an nginx ingress controller and cert-manager, both in a separate namespace.正在使用多阶段 yaml 管道将其部署到 AKS 集群中,我已经在单独的命名空间中设置了 nginx 入口 controller 和证书管理器。 The deployment succeeds and everything seems to be running, but the exposed hostnames from the ingress are not reachable.部署成功,一切似乎都在运行,但从入口暴露的主机名无法访问。 When taking a look at the certificates i see the following查看证书时,我看到以下内容

Name:         letsencrypt-tls-cd
Namespace:    myApp-dev
Labels:       app.kubernetes.io/instance=myApp
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=cd
              app.kubernetes.io/version=9.3.0
              helm.sh/chart=cd-1.0.0
Annotations:  <none>
API Version:  cert-manager.io/v1alpha3
Kind:         Certificate
Metadata:
  Creation Timestamp:  2020-06-15T11:59:53Z
  Generation:          1
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  myApp-cd
    UID:                   a6cbbf69-749e-4dd1-81cc-37a817051690
  Resource Version:        1218430
  Self Link:               /apis/cert-manager.io/v1alpha3/namespaces/myApp-dev/certificates/letsencrypt-tls-cd
  UID:                     46ac0acb-71bf-4dbc-a376-c024e92d68ca
Spec:
  Dns Names:
    cd-myApp-dev.dev
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       Issuer
    Name:       letsencrypt-prod
  Secret Name:  letsencrypt-tls-cd
Status:
  Conditions:
    Last Transition Time:  2020-06-15T11:59:53Z
    Message:               ***Waiting for CertificateRequest "letsencrypt-tls-cd-95531636" to complete***
    Reason:                InProgress
    Status:                False
    Type:                  Ready
Events:
  Type    Reason        Age   From          Message
  ----    ------        ----  ----          -------
  Normal  GeneratedKey  57m   cert-manager  Generated a new private key
  Normal  Requested     57m   cert-manager  Created new CertificateRequest resource "letsencrypt-tls-cd-95531636"

Looking into the certificate request:查看证书请求:

Name:         letsencrypt-tls-cd-95531636
Namespace:    myApp-dev
Labels:       app.kubernetes.io/instance=myApp
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=cd
              app.kubernetes.io/version=9.3.0
              helm.sh/chart=cd-1.0.0
Annotations:  cert-manager.io/certificate-name: letsencrypt-tls-cd
              cert-manager.io/private-key-secret-name: letsencrypt-tls-cd
API Version:  cert-manager.io/v1alpha3
Kind:         CertificateRequest
Metadata:
  Creation Timestamp:  2020-06-15T11:59:54Z
  Generation:          1
  Owner References:
    API Version:           cert-manager.io/v1alpha2
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Certificate
    Name:                  letsencrypt-tls-cd
    UID:                   46ac0acb-71bf-4dbc-a376-c024e92d68ca
  Resource Version:        1218442
  Self Link:               /apis/cert-manager.io/v1alpha3/namespaces/myApp-dev/certificaterequests/letsencrypt-tls-cd-95531636
  UID:                     2bef5e93-6722-43c0-bd2c-283d70334b1c
Spec:
  Csr:  mySecret
  Issuer Ref:
    Group:  cert-manager.io
    Kind:   Issuer
    Name:   letsencrypt-prod
Status:
  Conditions:
    Last Transition Time:  2020-06-15T11:59:54Z
    Message:               Waiting on certificate issuance from order myApp-dev/letsencrypt-tls-cd-95531636-1679437339: "pending"
    Reason:                Pending
    Status:                False
    Type:                  Ready
Events:
  Type    Reason        Age   From          Message
  ----    ------        ----  ----          -------
  Normal  OrderCreated  58m   cert-manager  Created Order resource myApp-dev/letsencrypt-tls-cd-95531636-1679437339

And the challenge:挑战:

Name:         letsencrypt-tls-cm-1259919220-2936945618-694921812
Namespace:    myApp-dev
Labels:       <none>
Annotations:  <none>
API Version:  acme.cert-manager.io/v1alpha3
Kind:         Challenge
Metadata:
  Creation Timestamp:  2020-06-15T11:59:55Z
  Finalizers:
    finalizer.acme.cert-manager.io
  Generation:  1
  Owner References:
    API Version:           acme.cert-manager.io/v1alpha2
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Order
    Name:                  letsencrypt-tls-cm-1259919220-2936945618
    UID:                   4d8eab8e-449b-494e-a751-912a77671223
  Resource Version:        1218492
  Self Link:               /apis/acme.cert-manager.io/v1alpha3/namespaces/myApp-dev/challenges/letsencrypt-tls-cm-1259919220-2936945618-694921812
  UID:                     8b355336-309a-4192-83b7-41397ebc20ac
Spec:
  Authz URL:  https://acme-v02.api.letsencrypt.org/acme/authz-v3/5253543313
  Dns Name:   cm-myApp-dev.dev
  Issuer Ref:
    Group:  cert-manager.io
    Kind:   Issuer
    Name:   letsencrypt-prod
  Key:      0USdpDsQg7_NY1FB138oj6O3AtVVKn6rkdxUSBQk4KI.qZ3FGlVmwRY6MwBNqUR5iktM1fJWdXxFWZYFOpjSUkQ
  Solver:
    http01:
      Ingress:
        Class:  nginx
        Pod Template:
          Metadata:
          Spec:
            Node Selector:
              kubernetes.io/os:  linux
  Token:                         0USdpDsQg7_NY1FB138oj6O3AtVVKn6rkdxUSBQk4KI
  Type:                          http-01
  URL:                           https://acme-v02.api.letsencrypt.org/acme/chall-v3/5253543313/1eUG0g
  Wildcard:                      false
Status:
  Presented:   true
  Processing:  true
  Reason:      Waiting for http-01 challenge propagation: failed to perform self check GET request 'http://cm-myApp-dev.dev/.well-known/acme-challenge/0USdpDsQg7_NY1FB138oj6O3AtVVKn6rkdxUSBQk4KI': Get "http://cm-myApp-dev.dev/.well-known/acme-challenge/0USdpDsQg7_NY1FB138oj6O3AtVVKn6rkdxUSBQk4KI": dial tcp: lookup cm-myApp-dev.dev on 10.0.0.10:53: no such host
  State:       pending
Events:
  Type    Reason     Age    From          Message
  ----    ------     ----   ----          -------
  Normal  Started    2m15s  cert-manager  Challenge scheduled for processing
  Normal  Presented  2m14s  cert-manager  Presented challenge using http-01 challenge mechanism

I'm quite new to kube.netes and don't know where to look to fix the error bellow, any help is greatly appreciated.我是 kube.netes 的新手,不知道在哪里可以修复下面的错误,非常感谢任何帮助。

Waiting for http-01 challenge propagation: failed to perform self check GET request 'http://cm-myApp-dev.dev/.well-known/acme-challenge/0USdpDsQg7_NY1FB138oj6O3AtVVKn6rkdxUSBQk4KI': Get "http://cm-myApp-dev.dev/.well-known/acme-challenge/0USdpDsQg7_NY1FB138oj6O3AtVVKn6rkdxUSBQk4KI": dial tcp: lookup cm-myApp-dev.dev on 10.0.0.10:53: no such host

Looking in the ingress controller i get the following error:查看入口 controller 我收到以下错误:

    7 controller.go:1374] Error getting SSL certificate "myApp-dev/letsencrypt-tls-cd": local SSL certificate myApp-dev/letsencrypt-tls-cd was not found
W0616 06:24:29.033235       7 controller.go:1119] Error getting SSL certificate "myApp-dev/letsencrypt-tls-cm": local SSL certificate myApp-dev/letsencrypt-tls-cm was not found. Using default certificate
W0616 06:24:29.033264       7 controller.go:1374] Error getting SSL certificate "myApp-dev/letsencrypt-tls-cd": local SSL certificate myApp-dev/letsencrypt-tls-cd was not found
I0616 06:24:50.355937       7 status.go:275] updating Ingress myApp-dev/cm-acme-http-solver-9z88h status from [] to [{10.240.0.252 } {10.240.1.58 }]
W0616 06:24:50.363181       7 controller.go:1119] Error getting SSL certificate "myApp-dev/letsencrypt-tls-cm": local SSL certificate myApp-dev/letsencrypt-tls-cm was not found. Using default certificate
W0616 06:24:50.363346       7 controller.go:1374] Error getting SSL certificate "myApp-dev/letsencrypt-tls-cd": local SSL certificate myApp-dev/letsencrypt-tls-cd was not found
I0616 06:24:50.363514       7 event.go:278] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"myApp-dev", Name:"cm-acme-http-solver-9z88h", UID:"1b53f4dc-1b52-4f11-9cd0-6ffe1d0d9d40", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"1451371", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress myApp-dev/cm-acme-http-solver-9z88h

4 个解决方案

解决方案1
 1 已采纳  2020-06-15 14:31:19

You can refer this link to configure cert manager at AKS.您可以参考链接在 AKS 配置证书管理器。 It will automatically create the TLS secret too, once the certificate gets validated and will attain ready state一旦证书得到验证,它也会自动创建 TLS 密钥并准备好 state

解决方案2
 1  2020-06-17 08:42:00

The problem was that the top level domain name we were using was not valid, therefore the ingress didn't refer to a valid domain and threw an error.问题是我们使用的顶级域名无效,因此入口没有引用有效域并引发错误。 Creating a valid top level domain and implementing it in our deployment solved the problem.创建一个有效的顶级域并在我们的部署中实现它解决了这个问题。

解决方案3
 0  2021-02-22 23:53:45

If someone Googles this, then know that this issue can be also caused by DNS caching in your Kubernetes cluster.如果有人用谷歌搜索这个,那么知道这个问题也可能是由 Kubernetes 集群中的 DNS 缓存引起的。 In this case, it is a transient error, but in some contexts speed could be important (eg if you are a managed service provider).在这种情况下,这是一个暂时性错误,但在某些情况下,速度可能很重要(例如,如果您是托管服务提供商)。

I wrote about it here but in summary.在这里写过它,但总结一下。

  • cert-manager would emit the "no such host" error for a while, and eventually succeed cert-manager 会发出“没有这样的主机”错误一段时间,并最终成功
  • my coredns ConfigMap (in kube-system namespace) stipulated local DNS resolvers, and a 30 sec cache我的 coredns ConfigMap(在kube-system命名空间中)规定了本地 DNS 解析器和 30 秒缓存
  • you can fix the delay by (1) removing the cache , and (2) pointing the resolver to Google DNS (or another, depending on your needs)您可以通过(1) 删除缓存(2) 将解析器指向 Google DNS (或其他,取决于您的需要)来修复延迟

Hope this pointer is helpful to someone.希望这个指针对某人有帮助。

解决方案4
 0  2022-03-25 20:21:59

Remember to add DNS records to the domain, such as A and CNAME to route traffic to the Kube.netes load balancer.记住在域中添加 DNS 记录,例如 A 和 CNAME,以将流量路由到 Kube.netes 负载均衡器。

Eg cm-myApp-dev.dev or any other subdomains.例如cm-myApp-dev.dev或任何其他子域。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 等待 HTTP-01 质询传播:错误的状态代码“404”,应为“200” - Waiting for HTTP-01 challenge propagation: wrong status code '404', expected '200' Kubernetes:无法验证 API 服务器的身份:tcp 拨号:连接:协议不可用 - Kubernetes: couldn't validate the identity of the API Server: tcp dial : connect : protocol not available 如何使用 Terraform 修复 Azure Kube.netes 服务“错误拨号 tcp 127.0.0.1:80:连接:连接被拒绝”? - How to fix Azure Kubernetes Services with Terraform 'error dial tcp 127.0.0.1:80: connect: connection refused'? 错误:发布“http://localhost/api/v1/namespaces/kube-system/configmaps”:拨打 tcp 127.0.0.1:80 - Error: Post "http://localhost/api/v1/namespaces/kube-system/configmaps": dial tcp 127.0.0.1:80 牧场主卡在等待注册 Kube.netes - rancher stuck Waiting to register with Kubernetes 无法连接到服务器:拨打 tcp 10.0.12.77:443: i/o timeout - Unable to connect to the server: dial tcp 10.0.12.77:443: i/o timeout Twilio:来电等待转接号码(Dial)响应时的等待语音(Say) - Twilio: Waiting voice (Say) while the caller is waiting for a response from forwarded number (Dial) AWS RDS 的 Terraform Postgresql 提供程序错误:“拨号 tcp 127.0.0.1:5432:连接:连接被拒绝” - Terraform Postgresql provider error for AWS RDS: "dial tcp 127.0.0.1:5432: connect: connection refused" calico-pod 在工作节点上不工作:拨打 tcp 10.172.0.2:10250: i/o 超时 - calico-pod not working on worker node : dial tcp 10.172.0.2:10250: i/o timeout Github 部署到 lightsail 的操作突然开始失败,拨号 tcp i/o 超时 - Github action deploying to lightsail has suddenly started failing with dial tcp i/o timeout
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM