stackoom
  简体   繁体   中英

Cert-Manager get certificate, but web browser shows "Kubernetes Ingress Controller Fake Certificate"

 原文  2022-09-07 21:19:32       kubernetes/ azure-aks/ nginx-ingress/ lets-encrypt/ cert-manager

Question

I have an issue with Certificate from Let's Encrypt in Kubernetes in Azure AKS. It seems to be valid in k8s, but web browsers shows "Kubernetes Ingress Controller Fake Certificate". Following steps from https://cert-manager.io/docs/troubleshooting/ to describe my state:

kubectl get certificates --all-namespaces

NAMESPACE   NAME         READY   SECRET       AGE
gap         tls-secret   True    tls-secret   5h29m

kubectl get CertificateRequests --all-namespaces

NAMESPACE   NAME               APPROVED   DENIED   READY   ISSUER             REQUESTOR                                          AGE
gap         tls-secret-h8xvm   True                True    letsencrypt-prod   system:serviceaccount:ingress-basic:cert-manager   5h31m

kubectl get clusterissuer --all-namespaces

NAME               READY   AGE
letsencrypt-prod   True    5h45m

kubectl describe clusterissuer letsencrypt-prod

...
Spec:
  Acme:
    Email:            aaa@company.com
    Preferred Chain:
    Private Key Secret Ref:
      Name:  letsencrypt-prod
    Server:  https://acme-v02.api.letsencrypt.org/directory
    Solvers:
      http01:
        Ingress:
          Class:  nginx
          Pod Template:
            Metadata:
            Spec:
              Node Selector:
                kubernetes.io/os:  linux
Status:
  Acme:
    Last Registered Email:  aaa@company.com
    Uri:                    https://acme-v02.api.letsencrypt.org/acme/acct/XXXXXXXX
  Conditions:
    Last Transition Time:  2022-09-07T15:05:07Z
    Message:               The ACME account was registered with the ACME server
    Observed Generation:   1
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

kubectl get order --all-namespaces

NAMESPACE   NAME                         STATE   AGE
gap         tls-secret-h8xvm-907122039   valid   5h38m

kubectl describe order -n gap tls-secret-h8xvm-907122039

Spec:
  Dns Names:
    my.app.com
  Issuer Ref:
    Group:  cert-manager.io
    Kind:   ClusterIssuer
    Name:   letsencrypt-prod
  Request:  XXXXXXXXX
Status:
  Authorizations:
    Challenges:
      Token:        XXXXXXXXXXX
      Type:         http-01
      URL:          https://acme-v02.api.letsencrypt.org/acme/chall-v3/XXX/YYY
    Identifier:     dev01.got-dev.ligenius.app
    Initial State:  valid
    URL:            https://acme-v02.api.letsencrypt.org/acme/authz-v3/XXX
    Wildcard:       false
  Certificate:      XXXXXXX
  Finalize URL:     https://acme-v02.api.letsencrypt.org/acme/finalize/YYY/ZZZ
  State:            valid
  URL:              https://acme-v02.api.letsencrypt.org/acme/order/YYY/ZZZ
Events:             <none>

kubectl get challenges --all-namespaces

No resources found

Is it ok that challenge doesn't exist?

Update 1

Ingress definition

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: XXX-chart
  labels:
    helm.sh/chart: xxx-chart-0.1.0
    app.kubernetes.io/name: xxx-chart
    app.kubernetes.io/instance: RELEASE-NAME
    app.kubernetes.io/version: "1.16.0"
    app.kubernetes.io/managed-by: Helm
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
    - hosts:
        - "my.app.com"
      secretName: tls-secret
  rules:
    - host: "my.app.com"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: "yyy-svc"
                port:
                  number: 80
          - ... more path definition

curl -k https://my.app.com/ 

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

It looks like ingress nginx return default 404 page, but it shouldn't matter for certificate instalation. The yyy-svc and other services are up and running.

Kubernetes server 1.22.6

ingress-nginx/controller v1.3.1

cert-manager v1.9.1

Any thought what is misconfigured? Earlier it worked for cert-manager v0.16.1, after upgrade to 1.9.1 and solving https://github.com/cert-manager/cert-manager/issues/3501 it doesn't work anymore.

1 answers

solution1
 0  2022-09-08 07:45:29

I found the issue. In Ingress the annotation: kubernetes.io/ingress.class: nginx was missing. I removed it some time ago because of some changes in cluster and now it's needed again.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Ingress nginx cert-manager certificate invalid on browser Kubernetes cert-manager certificate is created but can not get vertified Kubernetes cert-manager certificate generating error kubernetes - cert-manager certificate chains SSL Certificate added but shows "Kubernetes Ingress controller fake certificate" Nginx-Ingress not picking up certificate from cert-manager Issue with Self-signed certificate with Cert-Manager in Kubernetes openssl giving Kubernetes Ingress Controller Fake Certificate Kubernetes: cert-manager certificate is keep in pending state Move cert-manager certificate to another Kubernetes cluster
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM