错误坏头:" GET /。Kubernates上的著名/acme-challeng与LetsEncrypt
我已经在Digital Ocean Kubernetes DO kubernetes ver-1.17.5中创建了LetsEncrypt生产ClusterIssuers。我的证书管理器版本是v0.15.0
我用这个方法
kubectl描述集群发行者lets加密产品
Name: letsencrypt-prod
Namespace:
Labels: <none>
Annotations: API Version: cert-manager.io/v1alpha3
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2020-05-13T12:08:52Z
Generation: 1
Resource Version: 16757
Self Link: /apis/cert-manager.io/v1alpha3/clusterissuers/letsencrypt-prod
UID: 2bbd1ca6-9c85-45e3-ad6e-7b85d9e93657
Spec:
Acme:
Email: cert@example.com
Private Key Secret Ref:
Name: letsencrypt-prod
Server: https://acme-v02.api.letsencrypt.org/directory
Solvers:
http01:
Ingress:
Class: nginx
Status:
Acme:
Last Registered Email: cert@example.com
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/86033097
Conditions:
Last Transition Time: 2020-05-13T12:08:53Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
kubectl描述入口
Name: bb-ingress
Namespace: default
Address: 167.99.17.96
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
bb-cloud-tls terminates example.com
Rules:
Host Path Backends
---- ---- --------
example.com
/ bb-web-service:80 (10.244.0.166:3000,10.244.0.31:3000)
Annotations: cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning BadConfig 8m17s cert-manager TLS entry 0 for hosts [example.com] must specify a secretName
Normal UPDATE 7m24s (x11 over 24h) nginx-ingress-controller Ingress default/bb-ingress
Name: cm-acme-http-solver-kbnn6
Namespace: default
Address: 167.99.17.96
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
example.com
/.well-known/acme-challenge/i5J8QI4XwJZVnS4xC_nSbK-8QFYlUJkmmOnETFXltdE cm-acme-http-solver-kgbd8:8089 (10.244.0.188:8089)
Annotations: kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0,::/0
Events: <none>
kubectl描述证书
Name: bb-cloud-tls
Namespace: default
Labels: <none>
Annotations: API Version: cert-manager.io/v1alpha3
Kind: Certificate
Metadata:
Creation Timestamp: 2020-05-13T11:06:34Z
Generation: 1
Resource Version: 13723
Self Link: /apis/cert-manager.io/v1alpha3/namespaces/default/certificates/bb-cloud-tls
UID: 11e6d711-56a9-4711-a6c4-cca516b96c41
Spec:
Common Name: example.com
Dns Names:
example.com
Duration: 24h0m0s
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod
Renew Before: 12h0m0s
Secret Name: bb-cloud-tls
Status:
Conditions:
Last Transition Time: 2020-05-13T11:46:24Z
Message: Waiting for CertificateRequest "bb-cloud-tls-1534494017" to complete
Reason: InProgress
Status: False
Type: Ready
Events: <none>
kubectl描述顺序
Name: bb-cloud-tls-1534494017-2165728012
Namespace: default
Labels: <none>
Annotations: cert-manager.io/certificate-name: bb-cloud-tls
cert-manager.io/private-key-secret-name: bb-cloud-tls
API Version: acme.cert-manager.io/v1alpha3
Kind: Order
Metadata:
Creation Timestamp: 2020-05-13T11:46:24Z
Generation: 1
Owner References:
API Version: cert-manager.io/v1alpha2
Block Owner Deletion: true
Controller: true
Kind: CertificateRequest
Name: bb-cloud-tls-1534494017
UID: 5b2972ba-bfe5-4149-a53b-13764a1a8269
Resource Version: 13730
Self Link: /apis/acme.cert-manager.io/v1alpha3/namespaces/default/orders/bb-cloud-tls-1534494017-2165728012
UID: 1dd81160-c700-4d29-88c1-0c5a5dee5774
Spec:
Common Name: example.com
Csr: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNU**************************
Dns Names:
example.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod
Status:
Authorizations:
Challenges:
Token: i5J8QI4XwJZVnS4*********
Type: http-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/4557349440/4vbwhw
Token: i5J8QI4XwJZVnS******
Type: dns-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/4557349440/yILvmw
Token: i5J8QI4Xw*****
Type: tls-alpn-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/4557349440/iPGc-Q
Identifier: example.com
Initial State: pending
URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4557349440
Wildcard: false
Finalize URL: https://acme-v02.api.letsencrypt.org/acme/finalize/86033097/3348998322
State: pending
URL: https://acme-v02.api.letsencrypt.org/acme/order/86033097/3348998322
Events: <none>
我也有这样的日志入口吊舱devspace日志-n入口-nginx -吊舱入口-nginx-控制器-5cc4589cc8-z5hb4 -c控制器
" while reading PROXY protocol, client: 10.244.0.178, server: 0.0.0.0:80
2020/05/14 11:59:02 [error] 163#163: *388536 broken header: "GET /.well-known/acme-challenge/i5J8QI4XwJZVnS4xC_nSbK-8QFYlUJkmmOnETFXltdE HTTP/1.1
Host: example.com
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
Connection: close
我的证书不正确:“Kubernetes Ingress Controller Fake certificate”
如何解决此问题?
我也在 githib 上发现了模拟问题,但它已关闭,我有新版本的证书管理器
共有2个答案
@mpz请参阅此问题:https://github.com/jetstack/cert-manager/issues/466
注意其中一条评论说“不幸的是,数字海洋的DNS01挑战在0.7.0中被打破了(根据我在0.6.0中的测试也是如此),所以HTTP01是必须做的。”,和你的回答正好相反。我不确定这个问题是否已经解决,但是我已经解决了这个问题,并通过compumike的https://github.com/compumike/hairpin-proxy回答获得了HTTP01挑战。它解释了围绕问题的问题,并提出了一个简单的修复方法,作为一行安装(这应该与ingress-nginx和cert-manager开箱即用)。
KeksBeskvitovich最近的另一个回答(我没有尝试)是对Ingress Controller Service的Service.beta.kubenetes的DigitalOcean特定注释。io/do负载平衡器主机名'(https://github.com/digitalocean/digitalocean-cloud-controller-manager/blob/master/docs/controllers/services/annotations.md#servicebetakubernetesiodo-负载平衡器主机名)。假设这是可行的(同样,我还没有尝试过),这将是一个更正式的解决方案,因为它不需要第三方安装。
但是Compumike的发夹代理解决方案简单易行,并且对我有用(是拼图的最后一块),所以如果你在certmanager上苦苦挣扎,试试这个吧!
我将ACME从http 01更改为dns01
以前:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: cert-manager
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: my@example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
后:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: cert-manager
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: my@example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the DNS-01 challenge provider
solvers:
- dns01:
digitalocean:
tokenSecretRef:
name: digitalocean-dns
key: access-token
此外,我还添加了Secret-请参见https://cert-manager.io/docs/configuration/acme/dns01/digitalocean/有关详细信息
现在它正在工作
-
在本节中,我们来了解一些着名的黑客以及它们如何成名。 乔纳森詹姆斯 乔纳森詹姆斯(Jonathan James)是美国黑客。他是第一个因在美国网络犯罪而入狱的少年。他于2008年5月18日自杀(枪伤)。 1999年,在16岁时,他通过破解NASA服务器的密码并窃取了国际空间站的源代码,包括控制生活空间内的温度和湿度,获得了几台计算机的访问权限。 凯文米特尼克 凯文米特尼克(Kevin Mitnic
-
我正在运行hadoop集群,Ubuntu主机作为主从,虚拟机作为另一个从运行在它上(2节点集群)。 似乎这个问题的解决方案在没有数据节点启动时就应该解决,对我来说不起作用。我试了那里解释的两种解决方案。 似乎当我手动将受影响的datanodes的命名空间ID等同于name node并启动集群时(链接帖子中的解决方案2),我仍然会得到相同的错误(DataStreamer异常)。接下来,其中一个dat
-
我在谷歌应用引擎中使用wordpress。当我制作一个POST API时,得到一个错误:“上游发送的头太大,而从上游读取响应头”。返回502,坏网关,nginx 我在POST API中发送的数据(JSON)约为4KB。如果发送的数据低于2KB,API返回成功。 我尝试了App Engine标准和灵活的环境,但面临同样的问题。 根据此链接:上游发送太大的头,而从上游读取响应头 在App Engine
-
我在Maven构建期间收到此错误。 无法执行目标组织。阿帕奇。专家插件:maven shade插件:2.4.3:项目dl4j上的shade(默认)示例:创建着色jar时出错:无效的LOC头(错误签名)- 这是我的pom。xml文件。 我多次尝试删除jar文件,但似乎都不起作用。
-
用于 Windows 的简单ACME客户端 - 用于Let's Encrypt。(以前称为letsencrypt-win-simple(LEWS)) 简介 这是一个用本机.NET构建的Windows的ACME CLI客户端,目标是尽可能简单的使用。它建立在ACMESharp项目之上。 运行 下载最新版本,解包并运行letsencrypt.exe,然后按照输入提示中的消息进行操作。 首先了解ACME
-
Acme-Tiny 是采用Python编写的,一款轻量级的TLS 证书加密工具。 使用 获取秘钥 openssl genrsa 4096 > account.key 使用现有的秘钥 # Download the scriptwget -O - "https://gist.githubusercontent.com/JonLundy/f25c99ee0770e19dc595/raw/6035c1c8