Cert-Manager 獲取證書，但 web 瀏覽器顯示“Kubernetes Ingress Controller Fake Certificate”

Question

我在 Azure AKS 中的 Kubernetes 中的 Let's Encrypt 證書存在問題。 它似乎在 k8s 中有效，但 web 瀏覽器顯示“Kubernetes Ingress Controller Fake Certificate”。 按照https://cert-manager.io/docs/troubleshooting/的步驟來描述我的 state：

kubectl get certificates --all-namespaces

NAMESPACE   NAME         READY   SECRET       AGE
gap         tls-secret   True    tls-secret   5h29m

kubectl get CertificateRequests --all-namespaces

NAMESPACE   NAME               APPROVED   DENIED   READY   ISSUER             REQUESTOR                                          AGE
gap         tls-secret-h8xvm   True                True    letsencrypt-prod   system:serviceaccount:ingress-basic:cert-manager   5h31m

kubectl get clusterissuer --all-namespaces

NAME               READY   AGE
letsencrypt-prod   True    5h45m

kubectl describe clusterissuer letsencrypt-prod

...
Spec:
  Acme:
    Email:            aaa@company.com
    Preferred Chain:
    Private Key Secret Ref:
      Name:  letsencrypt-prod
    Server:  https://acme-v02.api.letsencrypt.org/directory
    Solvers:
      http01:
        Ingress:
          Class:  nginx
          Pod Template:
            Metadata:
            Spec:
              Node Selector:
                kubernetes.io/os:  linux
Status:
  Acme:
    Last Registered Email:  aaa@company.com
    Uri:                    https://acme-v02.api.letsencrypt.org/acme/acct/XXXXXXXX
  Conditions:
    Last Transition Time:  2022-09-07T15:05:07Z
    Message:               The ACME account was registered with the ACME server
    Observed Generation:   1
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

kubectl get order --all-namespaces

NAMESPACE   NAME                         STATE   AGE
gap         tls-secret-h8xvm-907122039   valid   5h38m

kubectl describe order -n gap tls-secret-h8xvm-907122039

Spec:
  Dns Names:
    my.app.com
  Issuer Ref:
    Group:  cert-manager.io
    Kind:   ClusterIssuer
    Name:   letsencrypt-prod
  Request:  XXXXXXXXX
Status:
  Authorizations:
    Challenges:
      Token:        XXXXXXXXXXX
      Type:         http-01
      URL:          https://acme-v02.api.letsencrypt.org/acme/chall-v3/XXX/YYY
    Identifier:     dev01.got-dev.ligenius.app
    Initial State:  valid
    URL:            https://acme-v02.api.letsencrypt.org/acme/authz-v3/XXX
    Wildcard:       false
  Certificate:      XXXXXXX
  Finalize URL:     https://acme-v02.api.letsencrypt.org/acme/finalize/YYY/ZZZ
  State:            valid
  URL:              https://acme-v02.api.letsencrypt.org/acme/order/YYY/ZZZ
Events:             <none>

kubectl get challenges --all-namespaces

No resources found

不存在挑戰可以嗎？

---

更新 1

入口定義

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: XXX-chart
  labels:
    helm.sh/chart: xxx-chart-0.1.0
    app.kubernetes.io/name: xxx-chart
    app.kubernetes.io/instance: RELEASE-NAME
    app.kubernetes.io/version: "1.16.0"
    app.kubernetes.io/managed-by: Helm
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
    - hosts:
        - "my.app.com"
      secretName: tls-secret
  rules:
    - host: "my.app.com"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: "yyy-svc"
                port:
                  number: 80
          - ... more path definition

curl -k https://my.app.com/

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

看起來入口 nginx 返回默認 404 頁面，但對於證書安裝應該沒關系。 yyy-svc和其他服務已啟動並正在運行。

---

Kubernetes 服務器1.22.6

入口-nginx/控制器v1.3.1

證書管理器v1.9.1

任何想法是什么配置錯誤？ 早些時候它適用於 cert-manager v0.16.1，在升級到 1.9.1 並解決https://github.com/cert-manager/cert-manager/issues/3501之后它不再工作了。

Answer 1

我發現了這個問題。 在 Ingress 中，注釋： kubernetes.io/ingress.class: nginx丟失。 由於集群中的一些變化，我前段時間將其刪除，現在再次需要它。