[英]cert-manager HTTP01 certificate challenge is inaccessible when rewrite-target is enabled
We have a dozen of services exposed using a ingress-nginx controller in GKE.我们在 GKE 中使用 ingress-nginx 控制器公开了十几个服务。
In order to route the traffic correctly on the same domain name, we need to use a rewrite-target rule.为了在同一个域名上正确路由流量,我们需要使用重写目标规则。
The services worked well without any maintenance since their launch in 2019, that is until recently;自 2019 年推出以来,这些服务在没有任何维护的情况下运行良好,直到最近; when cert-manager suddenly stopped renewing the Let's Encrypt certificates, we "resolved" this by temporarily removing the "tls" section from the ingress definition, forcing our clients to use the http version.当 cert-manager 突然停止更新 Let's Encrypt 证书时,我们通过暂时从入口定义中删除“tls”部分来“解决”这个问题,迫使我们的客户使用 http 版本。
After that we removed all traces of cert-manager attempting to set it up from scratch.之后,我们删除了 cert-manager 尝试从头开始设置它的所有痕迹。
Now, the cert-manager is creating the certificate signing request, spawns an acme http solver pod and adds it to the ingress, however upon accessing its url I can see that it returns an empty response, and not the expected token.现在,cert-manager 正在创建证书签名请求,生成一个 acme http 求解器 pod 并将其添加到入口,但是在访问它的 url 时,我可以看到它返回一个空响应,而不是预期的令牌。
This has to do with the rewrite-target annotation that messes up the routing of the acme challenge.这与混淆了 acme 挑战的路由的 rewrite-target 注释有关。 What puzzles me the most, is that this used to work before.最让我困惑的是,这曾经可以工作。 (It was set up by a former employee) (由前雇员设立)
Disabling rewrite-target is unfortunately not an option, because it will stop the routing from working correctly.不幸的是,禁用 rewrite-target 不是一个选项,因为它会阻止路由正常工作。
Using dns01 won't work because our ISP does not support programmatic changes of the DNS records.使用 dns01 将不起作用,因为我们的 ISP 不支持对 DNS 记录进行编程更改。
Is there a way to make this work without disabling rewrite-target?有没有办法在不禁用重写目标的情况下完成这项工作?
PS Here's a number of similar cases reported on Github: PS 以下是 Github 上报道的一些类似案例:
None of them help.他们都没有帮助。
Here's the definition of my ClusterIssuer这是我的 ClusterIssuer 的定义
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: mail@domain.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
Please share the cluster issuer or issue you are using.请分享您正在使用的集群发行者或问题。
ingressClass入口类
If the ingressClass field is specified,
cert-manager
will create new Ingress resources in order to route traffic to theacmesolver
pods, which are responsible for responding to ACME challenge validation requests.如果指定了ingressClass字段,则cert-manager
将创建新的Ingress资源,以便将流量路由到负责响应ACME质询验证请求的acmesolver
pod。
Ref : https://cert-manager.io/v0.12-docs/configuration/acme/http01/#ingressclass参考: https ://cert-manager.io/v0.12-docs/configuration/acme/http01/#ingressclass
Mostly we don't see the HTTP solver challenge it comes and get removed if DNS or HTTP working fine.大多数情况下,如果 DNS 或 HTTP 工作正常,我们看不到 HTTP 求解器挑战并被删除。
Also, make sure your ingress doesn't have SSL-redirect annotation that could be also once reason behind certs not getting generated.此外,请确保您的入口没有 SSL 重定向注释,这也可能是未生成证书的原因。
Did you try checking the other object of cert-manager like order and certificate status request ?您是否尝试检查 cert-manager 的其他对象,例如 order 和 certificate status request ? kubectl describe challenge
are you getting 404 there ? kubectl describe challenge
你在那里得到404吗?
If you are trying continuously there could be chance you hit rate limit of let's encrypt to request generating certificates.如果您不断尝试,您可能会达到让我们加密请求生成证书的速率限制。
Troubleshooting : https://cert-manager.io/docs/faq/troubleshooting/#troubleshooting-a-failed-certificate-request疑难解答: https ://cert-manager.io/docs/faq/troubleshooting/#troubleshooting-a-failed-certificate-request
When you configure an Issuer with http01
, the default serviceType is NodePort
.当您使用http01
配置 Issuer 时,默认 serviceType 是NodePort
。 This means, it won't even go through the ingress controller.这意味着,它甚至不会通过入口控制器。 From thedocs :从文档:
By default, type NodePort will be used when you don't set HTTP01 or when you set serviceType to an empty string.默认情况下,当您未设置 HTTP01 或将 serviceType 设置为空字符串时,将使用类型 NodePort。 Normally there's no need to change this.通常无需更改此设置。
I'm not sure how the rest of your setup looks like, but http01
cause the acme server to make HTTP requests (not https).我不确定您的其余设置如何,但http01
导致 acme 服务器发出 HTTP 请求(而不是 https)。 You need to make sure your nginx has listener for http (80).您需要确保您的 nginx 具有 http (80) 的侦听器。 It does follow redirects, so you can listen on http and redirect all traffic to https, this is legit and working.它确实遵循重定向,因此您可以侦听 http 并将所有流量重定向到 https,这是合法且有效的。
The cert-manager creates an ingress
resource for validation. cert-manager 创建一个用于验证的ingress
资源。 It directs traffic to the temporary pod.它将流量引导到临时 pod。 This ingress has it's own set of rules, and you can control it using this setting .这个入口有它自己的一套规则,你可以使用这个设置来控制它。 You can try and disable or modify the rewrite-targets on this resource.您可以尝试禁用或修改此资源上的重写目标。
Another thing I would try is to access this URL from inside the cluster (bypassing the ingress nginx).我会尝试的另一件事是从集群内部访问这个 URL(绕过入口 nginx)。 If it works directly, then it's an ingress / networking problem, otherwise it's something else.如果它直接工作,那么它是一个入口/网络问题,否则它是别的东西。
Please share the relevant nginx and cert-manager logs, it might be useful for debugging or understanding where your problem exist.请分享相关的 nginx 和 cert-manager 日志,它可能有助于调试或了解您的问题所在。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.