[英]what does "Issuing certificate as Secret does not exist" error mean when using cert manager to add ssl to my domain in k8s
I tried setting ssl to my domain with cert manager in k8s.我尝试使用 k8s 中的证书管理器将 ssl 设置为我的域。
Firstly, I created 2 services and applied the ingress, so that I can access my service with http request.首先,我创建了 2 个服务并应用了入口,这样我就可以通过 http 请求访问我的服务。
Then I installed cert-manager with yml file然后我用 yml 文件安装了 cert-manager
$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml
After that, I set up the issuer and certificate之后,我设置了颁发者和证书
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
namespace: default
spec:
acme:
# Staging API
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: xxx@xxx.xxx
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- selector: {}
http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: miniapi-staging
namespace: default
spec:
secretName: miniapi-staging-certificate
issuerRef:
name: letsencrypt-staging
commonName: xx1.xx.xxx
dnsNames:
- xx1.xx.xxx
- xx2.xx.xxx
I described Certificate, it showed me我描述了证书,它向我展示了
Issuing certificate as Secret does not exist
颁发证书作为 Secret 不存在
Then I described challenge, it showed me some pending error然后我描述了挑战,它向我展示了一些未决错误
Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://xxx.xxx.xx/.well-known/acme-challenge/AsGBYEbUD8VRYoJsXQQu5b0ntGSS5quq2M7kRx0sFZs': Get "http://xx.xxx.xx/.well-known/acme-challenge/AsGBYEbUD8VRYoJsXQQu5b0ntGSS5quq2M7kRx0sFZs": EOF
等待 HTTP-01 挑战传播:无法执行自检 GET 请求 'http://xxx.xxx.xx/.well-known/acme-challenge/AsGBYEbUD8VRYoJsXQQu5b0ntGSS5quq2M7kRx0sFZs':获取“http://xx.xxx.xx/ .well-known/acme-challenge/AsGBYEbUD8VRYoJsXQQu5b0ntGSS5quq2M7kRx0sFZs”:EOF
And I checked the url above is valid , it showed me one ong line string(I have modified the real urls).我检查了上面的 url 是有效的,它向我显示了一个 ong 行字符串(我已经修改了真实的网址)。
I tried so many times but it's the same error, so what am I doing wrong, hope some one could save me from this.我试了很多次,但都是同样的错误,所以我做错了什么,希望有人能帮我解决这个问题。
BTW k8s is so hard to learn, how do you guys learn it BTW k8s好难学,你们是怎么学的
To troubleshoot this error message, I followed the certificate lifecycle flow .为了解决此错误消息,我遵循了证书生命周期流程。
To sum it up, the resources that we are interested are the certificate
, certificaterequest
, order
and challenge
.总而言之,我们感兴趣的资源是
certificate
、 certificaterequest
、 order
和challenge
。 I used kubectl get
and kubectl describe
to understand the status of these resources.我使用
kubectl get
和kubectl describe
来了解这些资源的状态。
I started deleting resources that were already created, which should be immediately recreated after deletion.我开始删除已经创建的资源,删除后应该立即重新创建。 Given that the flow is:
鉴于流程是:
certificate
-> certificaterequest
-> order
-> challenge
certificate
-> certificaterequest
-> order
-> challenge
I started deleting and observing the effect from the end of the flow, hence following the opposite flow order: challenge
, then order
, then certificaterequest
and finally the certificate
.我从流程末尾开始删除并观察效果,因此遵循相反的流程顺序:
challenge
,然后是order
,然后是certificaterequest
,最后是certificate
。 This didn't work, but after carefully looking at all the resources again, I noticed that deleting the challenge
had failed.这没有用,但在再次仔细查看所有资源后,我注意到删除
challenge
失败了。 And because of that, a second challenge that had been created was not being processed.正因为如此,已经创建的第二个挑战没有得到处理。 This happened most likely because the first challenge was manually deleted from the DNS Zone while it was still being processed.
这很可能是因为第一个挑战在 DNS 区域中被手动删除,而它仍在处理中。
In order to address this, it is necessary to delete the first challenge.为了解决这个问题,有必要删除第一个挑战。 In this GitHub answer you can see how to do that.
在这个 GitHub 答案中,您可以了解如何做到这一点。
That message means that cert-manager can see that you have requested a Certificate and it doesn't have one already so it needs to create (issue) one for you.该消息意味着 cert-manager 可以看到您已经请求了一个证书,但它还没有一个,因此它需要为您创建(颁发)一个。
As for why the issuance is stuck on the self-check, confirm that retrieving that URL works from inside the cluster, as well as from outside.至于为什么发行卡在自检上,请确认从集群内部检索该 URL 以及从外部检索该 URL 都有效。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.