Ssl 让';s使用证书管理器在GKE上加密:证书无效
我正在尝试让我们加密与证书管理器在GKE上工作。我遵循了以下程序: 单独安装CustomResourceDefinition资源 为证书管理器创建命名空间 标记证书管理器命名空间以禁用资源验证 添加Jetstack Helm存储库 更新本地头盔图表存储库缓存 安装cert manager掌舵图 这将导致(在cert manager命名空间中) 和证书.ymlSsl 让';s使用证书管理器在GKE上加密:证书无效,ssl,google-kubernetes-engine,lets-encrypt,nginx-ingress,cert-manager,Ssl,Google Kubernetes Engine,Lets Encrypt,Nginx Ingress,Cert Manager,我正在尝试让我们加密与证书管理器在GKE上工作。我遵循了以下程序: 单独安装CustomResourceDefinition资源 为证书管理器创建命名空间 标记证书管理器命名空间以禁用资源验证 添加Jetstack Helm存储库 更新本地头盔图表存储库缓存 安装cert manager掌舵图 这将导致(在cert manager命名空间中) 和证书.yml apiVersion: certmanager.k8s.io/v1alpha1 kind: Certificate metadata:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: test-tls
spec:
secretName: test-me
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: test.me
dnsNames:
- test.me
- www.test.me
acme:
config:
- http01:
ingressClass: nginx
domains:
- test.me
- www.test.me
在这里,我似乎遇到了一个问题:
...
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod
Secret Name: test-me
Status:
Conditions:
Last Transition Time: 2019-03-27T16:35:40Z
Message: Certificate issuance in progress. Temporary certificate issued.
Reason: TemporaryCertificate
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning IssuerNotFound 4m (x2 over 4m) cert-manager clusterissuer.certmanager.k8s.io "letsencrypt-prod" not found
Warning IssuerNotReady 4m cert-manager Issuer letsencrypt-prod not ready
Normal Generated 4m cert-manager Generated new private key
Normal GenerateSelfSigned 4m cert-manager Generated temporary self signed certificate
Normal OrderCreated 4m cert-manager Created Order resource "test-me-tls-202592384"
它确实超越了这一点。没有证书得到验证
入口看起来像
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-service
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/add-base-url: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
certmanager.k8s.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- test.me
- www.test.me
secretName: test-me
rules:
- host: test.me
http:
paths:
- path: /
backend:
serviceName: web-cluster-ip-service
servicePort: 80
- host: www.test.me
http:
paths:
- path: /
backend:
serviceName: web-cluster-ip-service
servicePort: 80
最后,我的站点仍然不安全,证书无效
发给:
Common Name (CN) test.me
Organization (O) cert-manager
Organizational Unit (OU) <Not Part Of Certificate>
Common Name(CN)test.me
组织(O)证书经理
组织单位(OU)
签发人:
通用名(CN)cert-manager.local
组织(O)证书经理
组织单位(OU)
证书无效,我遗漏了什么。https01(在issuer.yml中)是一个输入错误:这应该是http01Mike,您可以接受自己的答案。那么这个问题就解决了。
helm repo update
helm install \
--name cert-manager \
--namespace cert-manager \
--version v0.7.0 \
jetstack/cert-manager
kubectl -n cert-manager get all
NAME READY STATUS
RESTARTS AGE
pod/cert-manager-6d8fc95f98-57c55 1/1 Running 0 26m
pod/cert-manager-cainjector-7c789f4fcc-jdqfs 1/1 Running 0 26m
pod/cert-manager-webhook-86bc6ff498-kcxj8 1/1 Running 0 26m
NAME TYPE CLUSTER-IP EXTERNAL-IP
PORT(S) AGE
service/cert-manager-webhook ClusterIP 10.39.251.139 <none> 443/TCP 26m
...
kubectl -n cert-manager get secrets
NAME TYPE DATA AGE
cert-manager-cainjector-token-mvmsx kubernetes.io/service-account-token 3 30m
cert-manager-token-gk2sp kubernetes.io/service-account-token 3 30m
cert-manager-webhook-ca kubernetes.io/tls 3 30m
cert-manager-webhook-token-6l6k7 kubernetes.io/service-account-token 3 30m
cert-manager-webhook-webhook-tls kubernetes.io/tls 3 30m
default-token-rx6sp kubernetes.io/service-account-token 3 30m
letsencrypt-prod Opaque 1 30m
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: 'me@me.com'
privateKeySecretRef:
name: letsencrypt-prod
https01: {}
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: test-tls
spec:
secretName: test-me
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: test.me
dnsNames:
- test.me
- www.test.me
acme:
config:
- http01:
ingressClass: nginx
domains:
- test.me
- www.test.me
...
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod
Secret Name: test-me
Status:
Conditions:
Last Transition Time: 2019-03-27T16:35:40Z
Message: Certificate issuance in progress. Temporary certificate issued.
Reason: TemporaryCertificate
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning IssuerNotFound 4m (x2 over 4m) cert-manager clusterissuer.certmanager.k8s.io "letsencrypt-prod" not found
Warning IssuerNotReady 4m cert-manager Issuer letsencrypt-prod not ready
Normal Generated 4m cert-manager Generated new private key
Normal GenerateSelfSigned 4m cert-manager Generated temporary self signed certificate
Normal OrderCreated 4m cert-manager Created Order resource "test-me-tls-202592384"
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-service
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/add-base-url: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
certmanager.k8s.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- test.me
- www.test.me
secretName: test-me
rules:
- host: test.me
http:
paths:
- path: /
backend:
serviceName: web-cluster-ip-service
servicePort: 80
- host: www.test.me
http:
paths:
- path: /
backend:
serviceName: web-cluster-ip-service
servicePort: 80
Common Name (CN) test.me
Organization (O) cert-manager
Organizational Unit (OU) <Not Part Of Certificate>