[英]404 challenge response with cert-manager and Traefik ingress
美好的一天,我是 kubernetes 的新手,并尝试设置我的第一个环境。 我想遵循方案:
192.168.0.10
)中的服务器。 在 IIS 我有 URL 重写模块,它充当反向代理我已经设置了 k8s 集群,部署了v1.7
( v1.7 ) 入口并配置它们以进行加密(设置http->https
重定向,设置 acme 挑战)。 这工作正常 - 我可以从 LAN 或 WAN 观察它,并且没有关于证书的警告 - 我看到绿色锁。 现在我部署服务(在我的例子中是 graylog)。 再次 - 我可以从 LAN 和 WAN 观察它,但在这种情况下,我看到有关证书的警告(它是由TRAEFIK_DEFAULT_CERT
颁发的)。 看到这个后,我尝试搜索更多信息,发现我需要 cert-manager。 我部署了 cert-manager,创建了让我们加密颁发者(具有 ClusterIssuer 角色),但随后我尝试颁发证书我收到以下错误(在挑战描述中找到):
Waiting for http-01 challenge propagation: wrong status code '404', expected '200'
我的 traefik 配置图:
apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-conf
namespace: kube-system
data:
traefik.toml: |
# traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
regex = "^http://(.*)"
replacement = "https://$1"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "mymail@example.xyz"
storage = "/acme/acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "my-public-domain.com"
我也尝试在那里使用通配符:
apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-conf
namespace: kube-system
data:
traefik.toml: |
# traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
regex = "^http://(.*)"
replacement = "https://$1"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "mymail@example.xyz"
storage = "/acme/acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "*.my-public-domain.com"
sans = ["my-public-domain.com"]
我的集群发行者:
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-dev
spec:
acme:
email: mymail@example.xyz
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource used to store the account's private key.
name: example-issuer-account-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: traefik
还有我的测试证书:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: example-com
namespace: default
spec:
secretName: example-com-tls
renewBefore: 360h # 15d
commonName: logger.my-public-domain.com
dnsNames:
- logger.my-public-domain.com
issuerRef:
name: letsencrypt-dev
kind: ClusterIssuer
我有通配符域的 DNS 条目并且可以 ping 它
我的证书卡在 state OrderCreated
中:
Status:
Conditions:
Last Transition Time: 2019-10-08T09:40:30Z
Message: Certificate issuance in progress. Temporary certificate issued.
Reason: TemporaryCertificate
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 47m cert-manager Created Order resource "example-com-3213698372"
订单卡在 state Created
:
Status:
Challenges:
Authz URL: <url>
Dns Name: logger.my-public-domain.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-dev
Key: <key>
Solver:
http01:
Ingress:
Class: traefik
Token: <token>
Type: http-01
URL: <url>
Wildcard: false
Finalize URL: <url>
State: pending
URL: <url>
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 48m cert-manager Created Challenge resource "example-com-3213698372-0" for domain "logger.my-public-domain.com"
最后,通过挑战:
Spec:
Authz URL: <url>
Dns Name: logger.my-public-domain.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-dev
Key: <key>
Solver:
http01:
Ingress:
Class: traefik
Token: <token>
Type: http-01
URL: <url>
Wildcard: false
Status:
Presented: true
Processing: true
Reason: Waiting for http-01 challenge propagation: wrong status code '404', expected '200'
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 55m cert-manager Challenge scheduled for processing
Normal Presented 55m cert-manager Presented challenge using http-01 challenge mechanism
我看到有 404 响应,但我不明白它的原因。 在我的 IIS 上,我有以下重写规则:让我们加密绕过 - 所有与 .well .well-known/*
匹配的 url 都重写为 kubernetes 主机。 http to https - all url not matched by let's encrypt redirected to https sub-domain redirect - all subdomains request rewrited to kubernetes.
在我的局域网中,我有自己的 DNS 服务器,来自my-public-domain.com
所有域都映射到内部地址,所以我可以将公共主机名logger.my-public-domain.com (xxxx)
logger.my-public-domain.com (192.168.0.y)
到内部地址logger.my-public-domain.com (192.168.0.y)
。
在挑战活动期间,我在 traefik 仪表板中看到了新的后端和前端。
也许我误解了它应该如何工作,但我希望 cert-manager 使用 let's encrypt 颁发证书,我可以观察我的服务。
在您的traefik.toml
ConfigMap 中,您将重定向到 HTTPS:
[entryPoints.http.redirect]
regex = "^http://(.*)"
replacement = "https://$1"
使用kubectl edit configmap -n kube-system traefik
删除该替换,保存更改,然后重新启动 Traefik pod。 那么你应该对 go 很好。 使用 Ingress 管理带有注释的重定向,而不是将它们放在 Traefik 配置中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.