Nginx

帶有證書管理器和letsencrypt的Kubernetes Nginx Ingress不允許域名中的萬用字元

  • March 13, 2022

我有一個帶有 Nginx Ingress 的自託管 Kubernetes 集群。Cert-manager 也在集群上執行,我嘗試使用 Letsencrypt 獲取有效的 SSL 證書。一切正常,我獲得了 example.com、www.example.com或 app1.example.com 的有效證書,但不適用於通用萬用字元 *.example.com。如果我嘗試以任何方式在 sec.tls.hosts 下的入口中輸入萬用字元,則不會為我生成證書。我得到輸出

kubectl get certificate

NAME              READY   SECRET            AGE
tls-test-cert     False   tls-electi-cert   20h

kubectl get CertificateRequest

NAME                    APPROVED   DENIED   READY   ISSUER                REQUESTOR                                         AGE
tls-test-cert-8jw75     True                False   letsencrypt-staging   system:serviceaccount:cert-manager:cert-manager   18m

kubectl describe CertificateRequest

[...]
Status:
 Conditions:
   Last Transition Time:  2022-02-27T13:54:38Z
   Message:               Certificate request has been approved by cert-manager.io
   Reason:                cert-manager.io
   Status:                True
   Type:                  Approved
   Last Transition Time:  2022-02-27T13:54:38Z
   Message:               Waiting on certificate issuance from order gateway/tls-test-cert-8jw75-1425588341: "pending"
   Reason:                Pending
   Status:                False
   Type:                  Ready
Events:
 Type    Reason           Age   From          Message
 ----    ------           ----  ----          -------
 Normal  cert-manager.io  18m   cert-manager  Certificate request has been approved by cert-manager.io
 Normal  OrderCreated     18m   cert-manager  Created Order resource gateway/tls-test-cert-8jw75-1425588341
 Normal  OrderPending     18m   cert-manager  Waiting on certificate issuance from order gateway/tls-test-cert-8jw75-1425588341: ""

我的 Nginx 入口:(我將我的域交換到 example.com 以獲取這篇文章)

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
 name: test-management
 namespace: gateway
 annotations:
   kubernetes.io/ingress.class: nginx
   cert-manager.io/cluster-issuer: "letsencrypt-staging"
   nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
   nginx.ingress.kubernetes.io/ssl-redirect: "true"
   nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
 ingressClassName: nginx
 tls:
 - secretName: tls-test-cert
   hosts:
     - example.com
     - '*.example.com'
 rules:
   - host: example.com
     http:
       paths:
         - path: /
           pathType: Prefix
           backend:
             service:
               name: test-gateway
               port:
                 number: 80
   - host: '*.example.com'
     http:
       paths:
         - path: /
           pathType: Prefix
           backend:
             service:
               name: test-gateway
               port:
                 number: 80

發行人:(我在這裡編輯了我的電子郵件)

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
 name: letsencrypt-staging
 namespace: cert-manager
spec:
 acme:
   server: https://acme-staging-v02.api.letsencrypt.org/directory
   email: *******
   privateKeySecretRef:
     name: letsencrypt-staging
   solvers:
     - http01:
         ingress:
           class: nginx

我的反向代理(測試網關)肯定可以工作並將所有子域轉發到我的網站。提前感謝您對可能導致此問題的任何想法。

感謝您的幫助,我能夠解決我的問題:

基本上,我必須找到一種新方法,因為 http01 不能頒發萬用字元證書。(見這裡:https : //cert-manager.io/docs/configuration/acme/)經過一番研究,我得出結論,使用 dns01 求解器最有意義。文件可以在這裡找到: https ://cert-manager.io/docs/configuration/acme/dns01/

由於 dns01 的配置很大程度上取決於您的 DNS 提供商,因此我不會在此處發布我的解決方案,但可以通過文件輕鬆找到有用的配置。

引用自:https://serverfault.com/questions/1094894