![](/img/trans.png)
[英]Is it possible to use a wildcard certificate generated via cert-manager (Lets Encrypt) in multiple K8S clusters
[英]k8s Unable to generate Let's Encrypt Certificates for GoDaddy Domains using cert-manager
我使用 GoDaddy 管理我的 DNS,我希望为我的 kubernetes 部署生成 Lets Encrypt 证书。 但是,尝试生成证书会产生错误
I0728 17:31:12.123952 1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="XXXX" "domain"="XXX" "resource_kind"="Challenge" "resource_name"="letsencrypt-staging-bflxn-153714257-3821133841" "resource_namespace"="default" "resource_version"="v1" "type"="DNS-01"
E0728 17:31:12.129511 1 controller.go:163] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="godaddy.acme.mycompany.com is forbidden: User \"system:serviceaccount:cert-manager:cert-manager\" cannot create resource \"godaddy\" in API group \"acme.mycompany.com\" at the cluster scope" "key"="default/letsencrypt-staging-bflxn-153714257-3821133841"
我相信这个问题的核心是我的ClusterIssuer
的groupName
和solver
应该是什么。
secret.yml
apiVersion: v1
kind: Secret
metadata:
name: godaddy-api-key
namespace: cert-manager
type: Opaque
stringData:
token: GO_DADDY_KEY:GO_DADDY_SECRET
issuer.yml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: XXXX
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- selector:
dnsNames:
- '*.company.com'
dns01:
webhook:
config:
apiKeySecretRef:
name: godaddy-api-key
key: token
production: true
ttl: 600
groupName: acme.mycompany.com
solverName: godaddy
注意:我尝试了 groupName 的不同排列,包括使用唯一域但没有成功
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: letsencrypt-staging
spec:
secretName: letsencrypt-staging
renewBefore: 240h
dnsNames:
- "*.company.com"
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
但是永远不会生成证书
$ k get certificate letsencrypt-staging
NAME READY SECRET AGE
letsencrypt-staging False letsencrypt-staging 8m27s
我正在使用这个 webhook https://github.com/snowdrop/godaddy-webhook
我也遇到了这个问题。 我通过添加缺少的ClusterRole
和ClusterRolebinding
来修复它。 这是为我解决问题的清单。
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dns-challenge-missing-role
rules:
- apiGroups: ["acme.mycompany.com"] # "" indicates the core API group
resources: ["godaddy"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dns-challenge-missing-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dns-challenge-missing-role
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.