主页 / server / 问题 / 1094894
Accepted
Tamino Elgert
Asked: 2022-02-28 06:24:15 +0800 CST

带有证书管理器和letsencrypt的Kubernetes Nginx Ingress不允许域名中的通配符

  • 772

我有一个带有 Nginx Ingress 的自托管 Kubernetes 集群。Cert-manager 也在集群上运行,我尝试使用 Letsencrypt 获取有效的 SSL 证书。一切正常,我获得了 example.com、www.example.com或 app1.example.com 的有效证书,但不适用于通用通配符 *.example.com。如果我尝试以任何方式在 sec.tls.hosts 下的入口中输入通配符,则不会为我生成证书。我得到输出

kubectl get certificate

NAME              READY   SECRET            AGE
tls-test-cert     False   tls-electi-cert   20h

kubectl get CertificateRequest

NAME                    APPROVED   DENIED   READY   ISSUER                REQUESTOR                                         AGE
tls-test-cert-8jw75     True                False   letsencrypt-staging   system:serviceaccount:cert-manager:cert-manager   18m

kubectl describe CertificateRequest

[...]
Status:
  Conditions:
    Last Transition Time:  2022-02-27T13:54:38Z
    Message:               Certificate request has been approved by cert-manager.io
    Reason:                cert-manager.io
    Status:                True
    Type:                  Approved
    Last Transition Time:  2022-02-27T13:54:38Z
    Message:               Waiting on certificate issuance from order gateway/tls-test-cert-8jw75-1425588341: "pending"
    Reason:                Pending
    Status:                False
    Type:                  Ready
Events:
  Type    Reason           Age   From          Message
  ----    ------           ----  ----          -------
  Normal  cert-manager.io  18m   cert-manager  Certificate request has been approved by cert-manager.io
  Normal  OrderCreated     18m   cert-manager  Created Order resource gateway/tls-test-cert-8jw75-1425588341
  Normal  OrderPending     18m   cert-manager  Waiting on certificate issuance from order gateway/tls-test-cert-8jw75-1425588341: ""

我的 Nginx 入口:(我将我的域交换到 example.com 以获取这篇文章)

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-management
  namespace: gateway
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-staging"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
  ingressClassName: nginx
  tls:
  - secretName: tls-test-cert
    hosts:
      - example.com
      - '*.example.com'
  rules:
    - host: example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: test-gateway
                port:
                  number: 80
    - host: '*.example.com'
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: test-gateway
                port:
                  number: 80

发行人:(我在这里编辑了我的电子邮件)

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
  namespace: cert-manager
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: *******
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
      - http01:
          ingress:
            class: nginx

我的反向代理(测试网关)肯定可以工作并将所有子域转发到我的网站。提前感谢您对可能导致此问题的任何想法。

nginx kubernetes kubeadm lets-encrypt cert-manager

1 个回答

  1. Best Answer

    感谢您的帮助,我能够解决我的问题:

    基本上,我必须找到一种新方法,因为 http01 不能颁发通配符证书。(见这里:https : //cert-manager.io/docs/configuration/acme/)经过一番研究,我得出结论,使用 dns01 求解器最有意义。文档可以在这里找到: https ://cert-manager.io/docs/configuration/acme/dns01/

    由于 dns01 的配置很大程度上取决于您的 DNS 提供商,因此我不会在此处发布我的解决方案,但可以通过文档轻松找到有用的配置。

    • 0

相关问题