[英]k8s Unable to generate Let's Encrypt Certificates for GoDaddy Domains using cert-manager
我使用 GoDaddy 管理我的 DNS,我希望為我的 kubernetes 部署生成 Lets Encrypt 證書。 但是,嘗試生成證書會產生錯誤
I0728 17:31:12.123952 1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="XXXX" "domain"="XXX" "resource_kind"="Challenge" "resource_name"="letsencrypt-staging-bflxn-153714257-3821133841" "resource_namespace"="default" "resource_version"="v1" "type"="DNS-01"
E0728 17:31:12.129511 1 controller.go:163] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="godaddy.acme.mycompany.com is forbidden: User \"system:serviceaccount:cert-manager:cert-manager\" cannot create resource \"godaddy\" in API group \"acme.mycompany.com\" at the cluster scope" "key"="default/letsencrypt-staging-bflxn-153714257-3821133841"
我相信這個問題的核心是我的ClusterIssuer的groupName和solver應該是什么。
secret.yml
apiVersion: v1
kind: Secret
metadata:
name: godaddy-api-key
namespace: cert-manager
type: Opaque
stringData:
token: GO_DADDY_KEY:GO_DADDY_SECRET
issuer.yml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: XXXX
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- selector:
dnsNames:
- '*.company.com'
dns01:
webhook:
config:
apiKeySecretRef:
name: godaddy-api-key
key: token
production: true
ttl: 600
groupName: acme.mycompany.com
solverName: godaddy
注意:我嘗試了 groupName 的不同排列,包括使用唯一域但沒有成功
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: letsencrypt-staging
spec:
secretName: letsencrypt-staging
renewBefore: 240h
dnsNames:
- "*.company.com"
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
但是永遠不會生成證書
$ k get certificate letsencrypt-staging
NAME READY SECRET AGE
letsencrypt-staging False letsencrypt-staging 8m27s
我正在使用這個 webhook https://github.com/snowdrop/godaddy-webhook
我也遇到了這個問題。 我通過添加缺少的ClusterRole和ClusterRolebinding來修復它。 這是為我解決問題的清單。
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dns-challenge-missing-role
rules:
- apiGroups: ["acme.mycompany.com"] # "" indicates the core API group
resources: ["godaddy"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dns-challenge-missing-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dns-challenge-missing-role
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
是否可以在多個 K8S 集群中使用通過 cert-manager (Lets Encrypt) 生成的通配符證書
[英]Is it possible to use a wildcard certificate generated via cert-manager (Lets Encrypt) in multiple K8S clusters
如何使用來自 Let's Encrypt 的通配符證書和 cert-manager
[英]How to use Wildcard certificates from Let’s Encrypt with cert-manager
證書管理器在升級到 AKS 1.20.7 后停止更新 Let'S Encrypt 證書
[英]Cert-manager stopped renewing Let'S Encrypt certificates after upgrading to AKS 1.20.7
通配符讓我們使用 cert-manager、nginx 入口、kubernetes 中的 cloudflare 加密證書如何解決?
[英]Wildcard Let's Encrypt certificates with cert-manager, nginx ingress, cloudflare in kubernetes how to fix?
SSL 證書來自 Let's Encrypt 在您的 Kubernetes Ingress via cert-manager
[英]SSL certificates from Let’s Encrypt in your Kubernetes Ingress via cert-manager
使用Cert-Manager,NGINX Ingress和Let's Encrypt為Kubernetes服務配置TLS / SSL
[英]Configure TLS/SSL for Kubernetes Services using Cert-Manager, NGINX Ingress and Let’s Encrypt
使用 Let's encrypt as CA 通過證書管理器通過證書更新創建 JKS
[英]JKS creation with every certificate renewal through cert-manager using Let's encrypt as CA
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.