[英]k8s Unable to generate Let's Encrypt Certificates for GoDaddy Domains using cert-manager
我使用 GoDaddy 管理我的 DNS,我希望为我的 kubernetes 部署生成 Lets Encrypt 证书。 但是,尝试生成证书会产生错误
I0728 17:31:12.123952 1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="XXXX" "domain"="XXX" "resource_kind"="Challenge" "resource_name"="letsencrypt-staging-bflxn-153714257-3821133841" "resource_namespace"="default" "resource_version"="v1" "type"="DNS-01"
E0728 17:31:12.129511 1 controller.go:163] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="godaddy.acme.mycompany.com is forbidden: User \"system:serviceaccount:cert-manager:cert-manager\" cannot create resource \"godaddy\" in API group \"acme.mycompany.com\" at the cluster scope" "key"="default/letsencrypt-staging-bflxn-153714257-3821133841"
我相信这个问题的核心是我的ClusterIssuer的groupName和solver应该是什么。
secret.yml
apiVersion: v1
kind: Secret
metadata:
name: godaddy-api-key
namespace: cert-manager
type: Opaque
stringData:
token: GO_DADDY_KEY:GO_DADDY_SECRET
issuer.yml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: XXXX
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- selector:
dnsNames:
- '*.company.com'
dns01:
webhook:
config:
apiKeySecretRef:
name: godaddy-api-key
key: token
production: true
ttl: 600
groupName: acme.mycompany.com
solverName: godaddy
注意:我尝试了 groupName 的不同排列,包括使用唯一域但没有成功
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: letsencrypt-staging
spec:
secretName: letsencrypt-staging
renewBefore: 240h
dnsNames:
- "*.company.com"
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
但是永远不会生成证书
$ k get certificate letsencrypt-staging
NAME READY SECRET AGE
letsencrypt-staging False letsencrypt-staging 8m27s
我正在使用这个 webhook https://github.com/snowdrop/godaddy-webhook
我也遇到了这个问题。 我通过添加缺少的ClusterRole和ClusterRolebinding来修复它。 这是为我解决问题的清单。
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dns-challenge-missing-role
rules:
- apiGroups: ["acme.mycompany.com"] # "" indicates the core API group
resources: ["godaddy"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dns-challenge-missing-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dns-challenge-missing-role
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
是否可以在多个 K8S 集群中使用通过 cert-manager (Lets Encrypt) 生成的通配符证书
[英]Is it possible to use a wildcard certificate generated via cert-manager (Lets Encrypt) in multiple K8S clusters
如何使用来自 Let's Encrypt 的通配符证书和 cert-manager
[英]How to use Wildcard certificates from Let’s Encrypt with cert-manager
证书管理器在升级到 AKS 1.20.7 后停止更新 Let'S Encrypt 证书
[英]Cert-manager stopped renewing Let'S Encrypt certificates after upgrading to AKS 1.20.7
通配符让我们使用 cert-manager、nginx 入口、kubernetes 中的 cloudflare 加密证书如何解决?
[英]Wildcard Let's Encrypt certificates with cert-manager, nginx ingress, cloudflare in kubernetes how to fix?
SSL 证书来自 Let's Encrypt 在您的 Kubernetes Ingress via cert-manager
[英]SSL certificates from Let’s Encrypt in your Kubernetes Ingress via cert-manager
使用Cert-Manager,NGINX Ingress和Let's Encrypt为Kubernetes服务配置TLS / SSL
[英]Configure TLS/SSL for Kubernetes Services using Cert-Manager, NGINX Ingress and Let’s Encrypt
使用 Let's encrypt as CA 通过证书管理器通过证书更新创建 JKS
[英]JKS creation with every certificate renewal through cert-manager using Let's encrypt as CA
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.