我有一个带有 Nginx Ingress 的自托管 Kubernetes 集群。Cert-manager 也在集群上运行,我尝试使用 Letsencrypt 获取有效的 SSL 证书。一切正常,我获得了 example.com、www.example.com或 app1.example.com 的有效证书,但不适用于通用通配符 *.example.com。如果我尝试以任何方式在 sec.tls.hosts 下的入口中输入通配符,则不会为我生成证书。我得到输出
kubectl get certificate
NAME READY SECRET AGE
tls-test-cert False tls-electi-cert 20h
kubectl get CertificateRequest
NAME APPROVED DENIED READY ISSUER REQUESTOR AGE
tls-test-cert-8jw75 True False letsencrypt-staging system:serviceaccount:cert-manager:cert-manager 18m
kubectl describe CertificateRequest
[...]
Status:
Conditions:
Last Transition Time: 2022-02-27T13:54:38Z
Message: Certificate request has been approved by cert-manager.io
Reason: cert-manager.io
Status: True
Type: Approved
Last Transition Time: 2022-02-27T13:54:38Z
Message: Waiting on certificate issuance from order gateway/tls-test-cert-8jw75-1425588341: "pending"
Reason: Pending
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal cert-manager.io 18m cert-manager Certificate request has been approved by cert-manager.io
Normal OrderCreated 18m cert-manager Created Order resource gateway/tls-test-cert-8jw75-1425588341
Normal OrderPending 18m cert-manager Waiting on certificate issuance from order gateway/tls-test-cert-8jw75-1425588341: ""
我的 Nginx 入口:(我将我的域交换到 example.com 以获取这篇文章)
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-management
namespace: gateway
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-staging"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
ingressClassName: nginx
tls:
- secretName: tls-test-cert
hosts:
- example.com
- '*.example.com'
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: test-gateway
port:
number: 80
- host: '*.example.com'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: test-gateway
port:
number: 80
发行人:(我在这里编辑了我的电子邮件)
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: *******
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
我的反向代理(测试网关)肯定可以工作并将所有子域转发到我的网站。提前感谢您对可能导致此问题的任何想法。
感谢您的帮助,我能够解决我的问题:
基本上,我必须找到一种新方法,因为 http01 不能颁发通配符证书。(见这里:https : //cert-manager.io/docs/configuration/acme/)经过一番研究,我得出结论,使用 dns01 求解器最有意义。文档可以在这里找到: https ://cert-manager.io/docs/configuration/acme/dns01/
由于 dns01 的配置很大程度上取决于您的 DNS 提供商,因此我不会在此处发布我的解决方案,但可以通过文档轻松找到有用的配置。