cert-manager：没有配置的挑战解决者可以用于这个挑战

Question

I followed this instruction to set up a cert manager on my EKS cluster https://cert-manager.io/docs/tutorials/acme/ingress/ .我按照此说明在我的 EKS 集群https://cert-manager.io/docs/tutorials/acme/ingress/上设置了一个证书管理器。

here is my ingress这是我的入口

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/issuer: "letsencrypt-staging"
spec:
  tls:
  - hosts:
      - '*.test.com'
    secretName: test-tls
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: test-service
                port:
                  number: 80

Here is the issuer.这是发行人。 I just copied the config from the instruction我只是从指令中复制了配置

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: info@test.com
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
      - http01:
          ingress:
            class: nginx

After deployment, I found the certificate ready state is false部署后发现证书ready state是false

kubectl get certificate
NAME          READY   SECRET        AGE
test-tls   False   test-tls   2m45s

Then I followed this to troubleshoot https://cert-manager.io/docs/faq/troubleshooting/然后我按照这个来解决https://cert-manager.io/docs/faq/troubleshooting/

I ran kubectl describe certificaterequest <request name> , found error Waiting on certificate issuance from order test-tls-xxx: "pending"我运行了kubectl describe certificaterequest <request name> ，发现错误Waiting on certificate issuance from order test-tls-xxx: "pending"

then ran kubectl describe order test-tls-xxx , found error Warning Solver 20m cert-manager Failed to determine a valid solver configuration for the set of domains on the Order: no configured challenge solvers can be used for this challenge .然后运行kubectl describe order test-tls-xxx ，发现错误Warning Solver 20m cert-manager Failed to determine a valid solver configuration for the set of domains on the Order: no configured challenge solvers can be used for this challenge 。

Any idea why it couldn't determine a valid solver?知道为什么它无法确定有效的求解器吗？ how do I test if solver is working?如何测试求解器是否正常工作？

Answer 1

It's not working due you are using the staging URL in cluster issuer to verify the image.它不起作用，因为您在cluster issuer者中使用暂存 URL 来验证图像。

Please try with the Production URL.请尝试生产 URL。

here a simple and proper example of Clusterissuer and ingress YAML (do note you were trying with staging API https://acme-staging-v02.api.letsencrypt.org/directory if possible use the production server address so it works properly with all browsers)这里是 Clusterissuer 和 ingress YAML 的一个简单且正确的示例（请注意，您正在尝试暂存 API https://acme-staging-v02.api.letsencrypt.org/directory如果可能，请使用生产服务器地址，以便它与所有浏览器）

Example:例子：

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: cluster-issuer-name
  namespace: development
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: harsh@example.com
    privateKeySecretRef:
      name: secret-name
    solvers:
    - http01:
        ingress:
          class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx-class-name
    cert-manager.io/cluster-issuer: cluster-issuer-name
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: example-ingress
spec:
  rules:
  - host: sub.example.com
    http:
      paths:
      - path: /api
        backend:
          serviceName: service-name
          servicePort: 80
  tls:
  - hosts:
    - sub.example.com
    secretName: secret-name

Note : When you are trying again please try deleting the old objects like ingress, Clusterissuer first.注意：当您再次尝试时，请先尝试删除旧对象，如 ingress、Clusterissuer。

Issuer vs ClusterIssuer Issuer 与 ClusterIssuer

An Issuer is a namespaced resource, and it is not possible to issue certificates from an Issuer in a different namespace. Issuer 是命名空间资源，无法从不同命名空间中的 Issuer 颁发证书。 This means you will need to create an Issuer in each namespace you wish to obtain Certificates in.这意味着您需要在每个您希望在其中获取证书的命名空间中创建一个 Issuer。

If you want to create a single Issuer that can be consumed in multiple namespaces, you should consider creating a ClusterIssuer resource.如果要创建可在多个命名空间中使用的单个 Issuer，则应考虑创建 ClusterIssuer 资源。 This is almost identical to the Issuer resource, however is non-namespaced so it can be used to issue Certificates across all namespaces.这几乎与 Issuer 资源相同，但是没有命名空间，因此它可用于跨所有命名空间颁发证书。

Ref: https://cert-manager.io/docs/concepts/issuer/参考： https://cert-manager.io/docs/concepts/issuer/

Wildcard cert通配符证书

You can use as per requirement, if you are using issuer you can update the ingress annotation line like您可以根据要求使用，如果您使用的是发行者，则可以更新入口注释行，例如

cert-manager.io/issuer: issuer-name

If you are trying to get the wildcard * certificate you won't be able to get it using HTTP auth method如果您尝试获取通配符*证书，您将无法使用HTTP 身份验证方法获取它

solvers:
        - http01:
            ingress:
              class: nginx-class-name

instead of this you have to use the DNS-auth method for wildcard cert.而不是这个，你必须使用通配符证书的DNS-auth方法。

solvers:
    - dns01:
        cloudDNS:
          project: my-project
          serviceAccountSecretRef:
            name: prod-clouddns-svc-acct-secret
            key: service-account.json

Read more at: https://cert-manager.io/docs/configuration/acme/dns01/阅读更多： https://cert-manager.io/docs/configuration/acme/dns01/

Ref article to get the wildcard cert: https://medium.com/@harsh.manvar111/wild-card-certificate-using-cert-manager-in-kube.netes-3406b042d5a2获取通配符证书的参考文章： https://medium.com/@harsh.manvar111/wild-card-certificate-using-cert-manager-in-kube.netes-3406b042d5a2

cert-manager：没有配置的挑战解决者可以用于这个挑战

问题描述

1 个解决方案

解决方案1
5 2021-07-02 03:56:46

cert-manager：没有配置的挑战解决者可以用于这个挑战

问题描述

1 个解决方案

解决方案1 5 2021-07-02 03:56:46

解决方案1
5 2021-07-02 03:56:46