[英]Cert-manager stopped renewing Let'S Encrypt certificates after upgrading to AKS 1.20.7
我們的 AKS 集群被配置為通過 Ingress Cert-Manager 注釋自動續訂 Let's Encrypt 證書,在我們升級到 AKS 1.20.7 之前,這一直運行良好。 然后它停止工作並且證書開始過期而沒有更新 - 我仔細檢查了對 K8S 和 CertManager API 的所有更改並審查了所有 YAML,但我沒有看到任何明顯的錯誤。 將不勝感激任何指針。
我的理解是,只要我將“cert-manager.io/cluster-issuer: letsencrypt-prod-p9v2”添加到我的入口——整個更新應該自動發生——雖然這不會發生。
> kubectl cert-manager version
util.Version{GitVersion:"v1.4.0", GitCommit:"5e2a6883c1202739902ac94b5f4884152b810925", GitTreeState:"clean", GoVersion:"go1.16.2", Compiler:"gc", Platform:"linux/amd64"}
AKS version: 1.20.7
cat shipit-ingress-p9v2.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
certmanager.k8s.io/cluster-issuer: letsencrypt-prod-p9v2
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-body-size: 15m
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.org/client-max-body-size: 15m
generation: 4
name: shipit-ingress-p9v2
namespace: supplier
resourceVersion: "147087245"
uid: 6751dbff-83b1-48a1-a467-e75cc843ee79
spec:
rules:
- host: xxx.westeurope.cloudapp.azure.com
http:
paths:
- backend:
service:
name: planet9v2
port:
number: 8080
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- xxx.westeurope.cloudapp.azure.com
secretName: tls-secret-p9v2
status:
loadBalancer:
ingress:
- ip: 10.240.0.5
>>kubectl get clusterissuer -o yaml letsencrypt-prod-p9v2
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
annotations:
creationTimestamp: "2020-05-29T13:31:10Z"
generation: 2
name: letsencrypt-prod-p9v2
resourceVersion: "25493731"
uid: 0e0e46f5-4cdf-42ea-a022-2dfe9ed56ad8
spec:
acme:
email: xxx
http01: {}
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-v02.api.letsencrypt.org/directory
status:
acme:
uri: https://acme-v02.api.letsencrypt.org/acme/acct/76984529
conditions:
- lastTransitionTime: "2020-05-29T13:31:11Z"
message: The ACME account was registered with the ACME server
reason: ACMEAccountRegistered
status: "True"
type: Ready
>>kubectl cert-manager inspect secret tls-secret-p9v2
...
Debugging:
Trusted by this computer: no: x509: certificate has expired or is not yet valid: current time 2021-08-24T07:03:32Z is after 2021-08-22T06:40:20Z
CRL Status: No CRL endpoints set
OCSP Status: Cannot check OCSP: error reading OCSP response: ocsp: error from server: unauthorized
kubectl describe secret tls-secret-p9v2
Name: tls-secret-p9v2
Namespace: supplier
Labels: certmanager.k8s.io/certificate-name=tls-secret-p9v2
Annotations: certmanager.k8s.io/alt-names: shipit-dev-p9v2.westeurope.cloudapp.azure.com
certmanager.k8s.io/common-name: shipit-dev-p9v2.westeurope.cloudapp.azure.com
certmanager.k8s.io/ip-sans:
certmanager.k8s.io/issuer-kind: ClusterIssuer
certmanager.k8s.io/issuer-name: letsencrypt-prod-p9v2
Type: kubernetes.io/tls
Data
====
tls.key: 1679 bytes
ca.crt: 0 bytes
tls.crt: 5672 bytes
kubectl get order
NAME STATE AGE
tls-secret-p9v2-4123722043 valid 24d
[(⎈ |shipit-k8s-dev:supplier)]$ k describe order tls-secret-p9v2-4123722043
Name: tls-secret-p9v2-4123722043
Namespace: supplier
Labels: acme.cert-manager.io/certificate-name=tls-secret-p9v2
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Order
Metadata:
Creation Timestamp: 2021-07-31T04:12:42Z
Generation: 4
Managed Fields:
API Version: certmanager.k8s.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.:
f:acme.cert-manager.io/certificate-name:
f:ownerReferences:
.:
k:{"uid":"a1dec741-0fe7-42be-99d2-176c3d4cdf38"}:
.:
f:apiVersion:
f:blockOwnerDeletion:
f:controller:
f:kind:
f:name:
f:uid:
f:spec:
.:
f:config:
f:csr:
f:dnsNames:
f:issuerRef:
.:
f:kind:
f:name:
f:status:
.:
f:certificate:
f:challenges:
f:finalizeURL:
f:state:
f:url:
Manager: jetstack-cert-manager
Operation: Update
Time: 2021-07-31T04:13:09Z
Owner References:
API Version: certmanager.k8s.io/v1alpha1
Block Owner Deletion: true
Controller: true
Kind: Certificate
Name: tls-secret-p9v2
UID: a1dec741-0fe7-42be-99d2-176c3d4cdf38
Resource Version: 143545958
UID: a646985b-6d44-4c99-bb39-ceb6c4919047
Spec:
Config:
Domains:
shipit-dev-p9v2.westeurope.cloudapp.azure.com
http01:
Ingress Class: nginx
Csr: MIIC3zCCAccCAQAwTzEVMBMGA1UEChMMY2VydC1tYW5hZ2VyMTYwNAYDVQQDEy1zaGlwaXQtZGV2LXA5djIud2VzdGV1cm9wZS5jbG91ZGFwcC5henVyZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdqF08foRx7qVCU4YpVLHxodqMJp1h10l0s89MUVK7C2IWwHdQ5w2BjUB12gT6T6NK9ZhJEzzYtLk18wFAojKUOFjuwF5Kklh+Qe6rFiZNNJ2+uDN/WhCLylbsXjHzQ+N3XMZ0jhGv+72XQyeK/X8jurMmVk5dSZbYP0ysk7w7gSFjjpeN2EIpYcnp2rCjTU+ksfeJ04DDm84hN9snMpGKspIhTFBphCQQgScPO9Fx+S5NVG/ScoM0CLSYiQVB0oPYUaw84O/lNC7kq/UWERli2pNy9Gnxdw2g37nFTj2uvPGGbPE1WBTFtdzkFWMepaw1l25X1//Nsap3zuZY0C3jAgMBAAGgSzBJBgkqhkiG9w0BCQ4xPDA6MDgGA1UdEQQxMC+CLXNoaXBpdC1kZXYtcDl2Mi53ZXN0ZXVyb3BlLmNsb3VkYXBwLmF6dXJlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAWEqfGuYcgf2ujby+K9MK+9q/r0cajo4q0JM6ZkBQQGb88b/nwxa7sr4n7hnlpKhXdLPp5QoeBMr3UM7Nwc7PrYxOws9v51mq3ekUOARgO4/4eJw4agFf8KKQLjtkFr2Q3OFJp6GuYKDCo2+Z1jqs76v7ReKlBoVhMtxOkjykQJheFQzg7ezGshE5trXh3NL/FaaThp1vP+qp8nDnq1YXkvOyaoc7u4X2sl831FTPcv3tsQJJzrOPlZPUJcgCC9cZiCTwqdttaJFRobTEGSk+pzc54C6eRQv9muto8D29Eg2G9f9xDSJULT6WbZWL6gzbJ/5pu3ep+V+cB43f5H+Sqg==
Dns Names:
shipit-dev-p9v2.westeurope.cloudapp.azure.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod-p9v2
Status:
Certificate: LS0tLS1CRUdJTiBDRVJUSUZJ.....
Challenges:
Authz URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/17660284180
Config:
http01:
Ingress Class: nginx
Dns Name: shipit-dev-p9v2.westeurope.cloudapp.azure.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod-p9v2
Key: AxP1pv5I087QVyKXIkGyT5pqlD4Aa-UYmJHAOgzHPu4.mIcOL5pBlkZJSpSUslpjJTC_hFunxNRCEA82VcfFAHE
Token: AxP1pv5I087QVyKXIkGyT5pqlD4Aa-UYmJHAOgzHPu4
Type: http-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/17660284180/Sh057Q
Wildcard: false
Finalize URL: https://acme-v02.api.letsencrypt.org/acme/finalize/75003870/13444902230
State: valid
URL: https://acme-v02.api.letsencrypt.org/acme/order/75003870/13444902230
Events: <none>
就我而言,必須更新發行人 yaml 文件。 在更新之前,我必須將 apiVersion 更改為 cert-mamanager.io/v1。 申請發行人 yaml 文件后,我的證書自動更新。
如何使用來自 Let's Encrypt 的通配符證書和 cert-manager
[英]How to use Wildcard certificates from Let’s Encrypt with cert-manager
k8s 無法使用 cert-manager 為 GoDaddy 域生成 Let's Encrypt 證書
[英]k8s Unable to generate Let's Encrypt Certificates for GoDaddy Domains using cert-manager
通配符讓我們使用 cert-manager、nginx 入口、kubernetes 中的 cloudflare 加密證書如何解決?
[英]Wildcard Let's Encrypt certificates with cert-manager, nginx ingress, cloudflare in kubernetes how to fix?
SSL 證書來自 Let's Encrypt 在您的 Kubernetes Ingress via cert-manager
[英]SSL certificates from Let’s Encrypt in your Kubernetes Ingress via cert-manager
如何在裸機集群上使用cert-manager自動在Kubernetes中加密證書更新?
[英]How to automate Let's Encrypt certificate renewal in Kubernetes with cert-manager on a bare-metal cluster?
使用Cert-Manager,NGINX Ingress和Let's Encrypt為Kubernetes服務配置TLS / SSL
[英]Configure TLS/SSL for Kubernetes Services using Cert-Manager, NGINX Ingress and Let’s Encrypt
證書管理器:讓我們用 nginx 加密 HTTP01 挑戰(沒有入口)
[英]cert-manager: Let's Encrypt HTTP01 challenge with nginx (without ingress)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.