堆棧內存溢出
  簡體   English   中英

SSL 證書在 Kubernetes 上使用 ACME

[英]SSL Certificates on Kubernetes Using ACME

 原文  2020-12-29 03:00:06       ssl/ kubernetes

問題描述

我一直在關注本教程: https://cert-manager.io/docs/ ,在我安裝了我的證書管理器並確保它們使用 kubectl get pods --namespace cert-manager 運行之后,

cert-manager-5597cff495-l5hjs             1/1     Running   0          91m
cert-manager-cainjector-bd5f9c764-xrb2t   1/1     Running   0          91m
cert-manager-webhook-5f57f59fbc-q5rqs     1/1     Running   0          91m

然后,我按照本教程https://cert-manager.io/docs/configuration/acme/使用 ACME 頒發者配置了我的證書管理器。

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: aidenhsy@gmail.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-staging
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
      - http01:
          ingress:
            class: nginx

這是我的完整入口配置文件:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-srv
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/use-regex: 'true'
spec:
  rules:
    - host: www.hyhaus.xyz
      http:
        paths:
          - path: /api/?(.*)
            backend:
              serviceName: devback-srv
              servicePort: 4000
          - path: /?(.*)
            backend:
              serviceName: devfront-srv
              servicePort: 3000
---
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
    service.beta.kubernetes.io/do-loadbalancer-hostname: 'www.hyhaus.xyz'
  labels:
    helm.sh/chart: ingress-nginx-2.0.3
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.32.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
    - name: https
      port: 443
      protocol: TCP
      targetPort: https
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: aidenhsy@gmail.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-staging
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
      - http01:
          ingress:
            class: nginx

但是,當我瀏覽我的站點時,瀏覽器會發出警告:您的計算機操作系統不信任安全證書。 當我查看我的證書時,它顯示為自分配,這並不是我真正想要的。 證書 我在這里做錯了嗎?

2 個解決方案

解決方案1
 1  2020-12-29 06:51:04

這是由nginx ingress controller提供的證書占位符。 當您看到它時,這意味着端點沒有其他(專用)證書。

現在發生這種情況的第一個原因是您的Ingress沒有必要的數據。 用這個更新它:

metadata:
  annotations:
    # which issuer to use
    cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
  tls: # placing a host in TLS config indicates that a certificate should be created
  - hosts:
    - example.org
    - www.example.org
    - xyz.example.org
    secretName: myingress-cert # cert-manager will store the created certificate in this secret

入口對象的文檔在這里

如果上述方法沒有幫助,請嘗試文檔提供的故障排除步驟。 根據我的經驗,在大多數情況下檢查CertificateRequestCertificate資源足以確定問題。

$ kubectl get certificate
$ kubectl describe certificate <certificate-name>
$ kubectl get certificaterequest
$ kubectl describe certificaterequest <CertificateRequest name>

請記住,這些對象是命名空間的,這意味着它們將與ingress object 位於同一命名空間中。

解決方案2
 0  2020-12-29 09:22:20

為了保護 Ingress,首先您必須將 ClusterIssuer 添加到您的 Ingress 資源中,然后 cert-manager 將選擇它並為您創建證書資源。 Kind: ingress metadata: annotations: cert-manager.io/cluster-issuer: nameOfClusterIssuer

其次,您必須添加tls <= 這表示 Cert-manager 通過 ClusterIssuer 創建證書(密鑰/證書對)。

第三,您必須在此處添加secretName: myingress <= 證書管理器將存儲 tls 機密(在創建密鑰/證書對並為您存儲它們之后)..

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 多個 SSL 證書 kubernetes 如何使用Kubernetes SSL證書 Kubernetes中的SSL / TLS證書管理 Traefik kubernetes 多個 SSL 證書 Kubernetes 儀表板更新 SSL 證書 Kubernetes證書管理器SSL錯誤驗證ACME帳戶 ACME 版本 2 協議可以用於分發 SSL 證書(和密鑰)還是僅發送新證書? 使用HttpClient與SSL和證書 在 Netty 上使用 SSL 證書 IIS不使用SSL證書
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM