我正在嘗試為 Kubernetes 集群 (AWS EKS) 之外可用的服務設定 TLS。使用 cert-manager,我已經成功頒發了證書并配置了入口,但仍然出現錯誤NET::ERR_CERT_AUTHORITY_INVALID。這是我所擁有的:
命名空間
tests并hello-kubernetes在其中(部署和服務都有名稱hello-kubernetes-first,服務是帶有port80 和targetPort8080 的ClusterIP ,部署基于paulbouwer/hello-kubernetes:1.8,請參閱我上一個問題中的詳細資訊)DNS 和入口配置為顯示服務:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: hello-kubernetes-ingress namespace: tests spec: ingressClassName: nginx rules: - host: test3.projectname.org http: paths: - path: "/" pathType: Prefix backend: service: name: hello-kubernetes-first port: number: 80如果不配置 TLS,我可以通過 http 訪問 test3.projectname.org 并查看服務(好吧,它嘗試將我重定向到 https,我看到了
NET::ERR_CERT_AUTHORITY_INVALID,無論如何我都會轉到不安全狀態并查看 hello-kubernetes 頁面)。注意:我有 nginx-ingress入口控制器;它是通過以下圖表在我之前安裝的:
apiVersion: v2 name: nginx description: A Helm chart for Kubernetes type: application version: 4.0.6 appVersion: "1.0.4" dependencies: - name: ingress-nginx version: 4.0.6 repository: https://kubernetes.github.io/ingress-nginx和圖表應用的值覆寫與原始值不同,主要在于
extraArgs:default-ssl-certificate: "nginx-ingress/dragon-family-com"未提交
通過安裝證書管理器
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.yamlClusterIssuer使用以下配置創建:
apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-backoffice spec: acme: server: https://acme-staging-v02.api.letsencrypt.org/directory # use https://acme-v02.api.letsencrypt.org/directory after everything is fixed and works privateKeySecretRef: # this secret is created in the namespace of cert-manager name: letsencrypt-backoffice-private-key # email: <will be used for urgent alerts about expiration etc> solvers: # TODO: add for each domain/second-level domain/*.projectname.org - selector: dnsZones: - test.projectname.org - test2.projectname.org - test3.projectname.org http01: ingress: class: nginx證書的
tests命名空間。它的配置是apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: letsencrypt-certificate-31 namespace: tests spec: secretName: tls-secret-31 issuerRef: kind: ClusterIssuer name: letsencrypt-backoffice commonName: test3.projectname.org dnsNames: - test3.projectname.org
現在,證書已準備好(kubectl get certificates -n tests說明)并應用它,我將其添加到 ingress 的規范中:
tls:
- hosts:
- test3.projectname.org
secretName: tls-secret-31
但是,當我嘗試通過 https 打開 test3.projectname.org 時,它仍然顯示NET::ERR_CERT_AUTHORITY_INVALID錯誤。我究竟做錯了什么?如何除錯這個?我檢查了openssl s_client -connect test3.projectname.org:443 -prexit*并顯示以下鏈:
0 s:CN = test3.projectname.org
i:C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3
1 s:C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3
i:C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
2 s:C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
i:C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Doctored Durian Root CA X3
并告訴,除其他輸出
驗證錯誤:無法獲取本地頒發者證書
不幸的是,我沒有發現任何有用的東西可以進一步嘗試,因此感謝您的幫助。
uj5u.com熱心網友回復:
您的 ClusterIssuer 是指 LetsEncrypt 登臺發行者。洗掉該設定/默認應使用其生產設定。正如評論中指出的:https : //acme-v02.api.letsencrypt.org/directory
洗掉以前生成的機密或切換到新的機密應確保使用正確的頒發者重新生成您的證書。
臨時發行者可能對測驗 LetsEncrypt 集成很有用,否則不應使用它。
uj5u.com熱心網友回復:
按照 SYN 的建議,我已經解決了這個問題
將 ClusterIssuer 配置中的 ACME 服務器從 切換
https://acme-staging-v02.api.letsencrypt.org/directory到https://acme-v02.api.letsencrypt.org/directory. 臨時服務器的想法似乎是:允許除錯證書頒發(以便kubectl get certificate [-n <namespace>]顯示READY=true)而不提供實際的可信證書;證書頒發完成后,必須切換到主服務器才能獲得生產證書。更新證書、tls 機密和入口配置。好吧,我不確定是否有辦法實際更新證書;相反,我創建了新的,它創建了新的秘密,然后更新了入口配置(只是秘密的名稱)
uj5u.com熱心網友回復:
您的證書不起作用的原因,不是因為您使用了登臺服務器,而是因為您沒有在 Ingress 規則中指定tls物件。Certbot 的暫存僅用于測驗目的,并且如果您每小時請求超過 5 個證書,則不會在您測驗時“禁止”您。當您確認一切都按預期作業時,您可以使用普通的非登臺服務器。
應該這樣做:
集群發行者物件:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
入口物件:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hello-kubernetes-ingress
namespace: tests
labels:
app: hello-kubernetes-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- test3.projectname.org
secretName: hello-tls
rules:
- host: test3.projectname.org
http:
paths:
- pathType: ImplementationSpecific
path: "/"
backend:
service:
name: hello-kubernetes-ingress
port:
number: 80
證書和密鑰存盤在名為“hello-tls”的機密中,您在初始示例中也沒有指定該機密,因此您收到了失敗。
轉載請註明出處,本文鏈接:https://www.uj5u.com/yidong/359014.html
標籤:ssl Kubernetes Kubernetes 入口 证书管理器
上一篇:如何在掌舵圖中創建模板?
