[英]Cert-Manager get certificate, but web browser shows "Kubernetes Ingress Controller Fake Certificate"
我在 Azure AKS 中的 Kubernetes 中的 Let's Encrypt 證書存在問題。 它似乎在 k8s 中有效,但 web 瀏覽器顯示“Kubernetes Ingress Controller Fake Certificate”。 按照https://cert-manager.io/docs/troubleshooting/的步驟來描述我的 state:
kubectl get certificates --all-namespaces
NAMESPACE NAME READY SECRET AGE
gap tls-secret True tls-secret 5h29m
kubectl get CertificateRequests --all-namespaces
NAMESPACE NAME APPROVED DENIED READY ISSUER REQUESTOR AGE
gap tls-secret-h8xvm True True letsencrypt-prod system:serviceaccount:ingress-basic:cert-manager 5h31m
kubectl get clusterissuer --all-namespaces
NAME READY AGE
letsencrypt-prod True 5h45m
kubectl describe clusterissuer letsencrypt-prod
...
Spec:
Acme:
Email: aaa@company.com
Preferred Chain:
Private Key Secret Ref:
Name: letsencrypt-prod
Server: https://acme-v02.api.letsencrypt.org/directory
Solvers:
http01:
Ingress:
Class: nginx
Pod Template:
Metadata:
Spec:
Node Selector:
kubernetes.io/os: linux
Status:
Acme:
Last Registered Email: aaa@company.com
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/XXXXXXXX
Conditions:
Last Transition Time: 2022-09-07T15:05:07Z
Message: The ACME account was registered with the ACME server
Observed Generation: 1
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
kubectl get order --all-namespaces
NAMESPACE NAME STATE AGE
gap tls-secret-h8xvm-907122039 valid 5h38m
kubectl describe order -n gap tls-secret-h8xvm-907122039
Spec:
Dns Names:
my.app.com
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt-prod
Request: XXXXXXXXX
Status:
Authorizations:
Challenges:
Token: XXXXXXXXXXX
Type: http-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/XXX/YYY
Identifier: dev01.got-dev.ligenius.app
Initial State: valid
URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/XXX
Wildcard: false
Certificate: XXXXXXX
Finalize URL: https://acme-v02.api.letsencrypt.org/acme/finalize/YYY/ZZZ
State: valid
URL: https://acme-v02.api.letsencrypt.org/acme/order/YYY/ZZZ
Events: <none>
kubectl get challenges --all-namespaces
No resources found
不存在挑戰可以嗎?
更新 1
入口定義
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: XXX-chart
labels:
helm.sh/chart: xxx-chart-0.1.0
app.kubernetes.io/name: xxx-chart
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/version: "1.16.0"
app.kubernetes.io/managed-by: Helm
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- "my.app.com"
secretName: tls-secret
rules:
- host: "my.app.com"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: "yyy-svc"
port:
number: 80
- ... more path definition
curl -k https://my.app.com/
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
看起來入口 nginx 返回默認 404 頁面,但對於證書安裝應該沒關系。 yyy-svc
和其他服務已啟動並正在運行。
Kubernetes 服務器1.22.6
入口-nginx/控制器v1.3.1
證書管理器v1.9.1
任何想法是什么配置錯誤? 早些時候它適用於 cert-manager v0.16.1,在升級到 1.9.1 並解決https://github.com/cert-manager/cert-manager/issues/3501之后它不再工作了。
我發現了這個問題。 在 Ingress 中,注釋: kubernetes.io/ingress.class: nginx
丟失。 由於集群中的一些變化,我前段時間將其刪除,現在再次需要它。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.