堆栈内存溢出
  简体   繁体   English

使用证书管理器在 k8s 中将 ssl 添加到我的域时,“颁发证书作为秘密不存在”错误是什么意思

[英]what does "Issuing certificate as Secret does not exist" error mean when using cert manager to add ssl to my domain in k8s

 原文  2021-07-26 09:22:28       ssl/ kubernetes/ cert-manager

问题描述

I tried setting ssl to my domain with cert manager in k8s.我尝试使用 k8s 中的证书管理器将 ssl 设置为我的域。

Firstly, I created 2 services and applied the ingress, so that I can access my service with http request.首先,我创建了 2 个服务并应用了入口,这样我就可以通过 http 请求访问我的服务。

Then I installed cert-manager with yml file然后我用 yml 文件安装了 cert-manager

$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml

After that, I set up the issuer and certificate之后,我设置了颁发者和证书

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
  namespace: default
spec:
  acme:
    # Staging API
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: xxx@xxx.xxx
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - selector: {}
      http01:
        ingress:
          class: nginx

---

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: miniapi-staging
  namespace: default
spec:
  secretName: miniapi-staging-certificate
  issuerRef:
    name: letsencrypt-staging
  commonName: xx1.xx.xxx
  dnsNames:
  - xx1.xx.xxx
  - xx2.xx.xxx

I described Certificate, it showed me我描述了证书,它向我展示了

Issuing certificate as Secret does not exist颁发证书作为 Secret 不存在

Then I described challenge, it showed me some pending error然后我描述了挑战,它向我展示了一些未决错误

Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://xxx.xxx.xx/.well-known/acme-challenge/AsGBYEbUD8VRYoJsXQQu5b0ntGSS5quq2M7kRx0sFZs': Get "http://xx.xxx.xx/.well-known/acme-challenge/AsGBYEbUD8VRYoJsXQQu5b0ntGSS5quq2M7kRx0sFZs": EOF等待 HTTP-01 挑战传播:无法执行自检 GET 请求 'http://xxx.xxx.xx/.well-known/acme-challenge/AsGBYEbUD8VRYoJsXQQu5b0ntGSS5quq2M7kRx0sFZs':获取“http://xx.xxx.xx/ .well-known/acme-challenge/AsGBYEbUD8VRYoJsXQQu5b0ntGSS5quq2M7kRx0sFZs”:EOF

And I checked the url above is valid , it showed me one ong line string(I have modified the real urls).我检查了上面的 url 是有效的,它向我显示了一个 ong 行字符串(我已经修改了真实的网址)。

I tried so many times but it's the same error, so what am I doing wrong, hope some one could save me from this.我试了很多次,但都是同样的错误,所以我做错了什么,希望有人能帮我解决这个问题。

BTW k8s is so hard to learn, how do you guys learn it BTW k8s好难学,你们是怎么学的

2 个解决方案

解决方案1
 1  2022-10-12 10:48:03

To troubleshoot this error message, I followed the certificate lifecycle flow .为了解决此错误消息,我遵循了证书生命周期流程

To sum it up, the resources that we are interested are the certificate , certificaterequest , order and challenge .总而言之,我们感兴趣的资源是certificatecertificaterequestorderchallenge I used kubectl get and kubectl describe to understand the status of these resources.我使用kubectl getkubectl describe来了解这些资源的状态。

I started deleting resources that were already created, which should be immediately recreated after deletion.我开始删除已经创建的资源,删除后应该立即重新创建。 Given that the flow is:鉴于流程是:

certificate -> certificaterequest -> order -> challenge certificate -> certificaterequest -> order -> challenge

I started deleting and observing the effect from the end of the flow, hence following the opposite flow order: challenge , then order , then certificaterequest and finally the certificate .我从流程末尾开始删除并观察效果,因此遵循相反的流程顺序: challenge ,然后是order ,然后是certificaterequest ,最后是certificate This didn't work, but after carefully looking at all the resources again, I noticed that deleting the challenge had failed.这没有用,但在再次仔细查看所有资源后,我注意到删除challenge失败了。 And because of that, a second challenge that had been created was not being processed.正因为如此,已经创建的第二个挑战没有得到处理。 This happened most likely because the first challenge was manually deleted from the DNS Zone while it was still being processed.这很可能是因为第一个挑战在 DNS 区域中被手动删除,而它仍在处理中。

In order to address this, it is necessary to delete the first challenge.为了解决这个问题,有必要删除第一个挑战。 In this GitHub answer you can see how to do that.这个 GitHub 答案中,您可以了解如何做到这一点。

解决方案2
 0  2021-07-26 11:10:20

That message means that cert-manager can see that you have requested a Certificate and it doesn't have one already so it needs to create (issue) one for you.该消息意味着 cert-manager 可以看到您已经请求了一个证书,但它还没有一个,因此它需要为您创建(颁发)一个。

As for why the issuance is stuck on the self-check, confirm that retrieving that URL works from inside the cluster, as well as from outside.至于为什么发行卡在自检上,请确认从集群内部检索该 URL 以及从外部检索该 URL 都有效。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在 Ingress 中使用 Let's Encrypt 时出错:颁发证书为 Secret 不存在使用 - Error using Let's Encrypt in Ingress:Issuing certificate as Secret does not exist using 更新SSL证书是否需要重新颁发证书? - Does renewing SSL certificate require re-issuing the cert? Firefox何时会使用通配符证书抛出ssl_error_bad_cert_domain? - When does Firefox throw ssl_error_bad_cert_domain with a wildcard certificate? SSL证书的发行速度是什么意思? - What does speed of issuance of SSL Certificate mean? 当我的 CA 证书过期时,为什么 SSLLabs 说我的证书没问题? - Why does SSLLabs say my certificate is fine when my CA's cert is expired? “每个SSL证书需要专用IP”究竟是什么意思? - What exactly does “every SSL certificate requires a dedicated IP” mean? 我自己为我拥有SSL证书的域的子域发布SSL证书 - Issuing SSL certificates myself for subdomains of a domain I have an SSL cert for python中的此ssl错误是什么意思? - what does this ssl error in python mean? “未知SSL协议错误”是什么意思? - What does “Unknown SSL protocol error” mean? 为什么我购买了 SSL 证书后,我网站的不安全版本仍然存在于 Google 上? - Why does the insecure version of my website still exist on Google when I've purchased an SSL certificate?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM