Nginx
帶有證書管理器和letsencrypt的Kubernetes Nginx Ingress不允許域名中的萬用字元
我有一個帶有 Nginx Ingress 的自託管 Kubernetes 集群。Cert-manager 也在集群上執行,我嘗試使用 Letsencrypt 獲取有效的 SSL 證書。一切正常,我獲得了 example.com、www.example.com或 app1.example.com 的有效證書,但不適用於通用萬用字元 *.example.com。如果我嘗試以任何方式在 sec.tls.hosts 下的入口中輸入萬用字元,則不會為我生成證書。我得到輸出
kubectl get certificate
NAME READY SECRET AGE tls-test-cert False tls-electi-cert 20h
kubectl get CertificateRequest
NAME APPROVED DENIED READY ISSUER REQUESTOR AGE tls-test-cert-8jw75 True False letsencrypt-staging system:serviceaccount:cert-manager:cert-manager 18m
kubectl describe CertificateRequest
[...] Status: Conditions: Last Transition Time: 2022-02-27T13:54:38Z Message: Certificate request has been approved by cert-manager.io Reason: cert-manager.io Status: True Type: Approved Last Transition Time: 2022-02-27T13:54:38Z Message: Waiting on certificate issuance from order gateway/tls-test-cert-8jw75-1425588341: "pending" Reason: Pending Status: False Type: Ready Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal cert-manager.io 18m cert-manager Certificate request has been approved by cert-manager.io Normal OrderCreated 18m cert-manager Created Order resource gateway/tls-test-cert-8jw75-1425588341 Normal OrderPending 18m cert-manager Waiting on certificate issuance from order gateway/tls-test-cert-8jw75-1425588341: ""
我的 Nginx 入口:(我將我的域交換到 example.com 以獲取這篇文章)
--- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: test-management namespace: gateway annotations: kubernetes.io/ingress.class: nginx cert-manager.io/cluster-issuer: "letsencrypt-staging" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTP" spec: ingressClassName: nginx tls: - secretName: tls-test-cert hosts: - example.com - '*.example.com' rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: test-gateway port: number: 80 - host: '*.example.com' http: paths: - path: / pathType: Prefix backend: service: name: test-gateway port: number: 80
發行人:(我在這裡編輯了我的電子郵件)
apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: letsencrypt-staging namespace: cert-manager spec: acme: server: https://acme-staging-v02.api.letsencrypt.org/directory email: ******* privateKeySecretRef: name: letsencrypt-staging solvers: - http01: ingress: class: nginx
我的反向代理(測試網關)肯定可以工作並將所有子域轉發到我的網站。提前感謝您對可能導致此問題的任何想法。
感謝您的幫助,我能夠解決我的問題:
基本上,我必須找到一種新方法,因為 http01 不能頒發萬用字元證書。(見這裡:https : //cert-manager.io/docs/configuration/acme/)經過一番研究,我得出結論,使用 dns01 求解器最有意義。文件可以在這裡找到: https ://cert-manager.io/docs/configuration/acme/dns01/
由於 dns01 的配置很大程度上取決於您的 DNS 提供商,因此我不會在此處發布我的解決方案,但可以通過文件輕鬆找到有用的配置。