Получил сертификаты tls.crt и tls.key, но браузер все еще поднимает соединение не является приватным - PullRequest
0 голосов
/ 14 марта 2019

На шаг 3 Я получил IP-адрес следующим образом. И я настроил свой DNS в соответствии с этой статьей

$ kubectl get svc
NAME                                       TYPE           CLUSTER-IP      EXTERNAL-IP    PORT(S)                      AGE
kubernetes                                 ClusterIP      10.51.240.1     <none>         443/TCP                      10d
quickstart-nginx-ingress-controller        LoadBalancer   10.51.251.156   35.247.160.2   80:30686/TCP,443:32595/TCP   87s
quickstart-nginx-ingress-default-backend   ClusterIP      10.51.253.66    <none>         80/TCP                       86s

Внешний IP-адрес, который назначается входному контроллеру, - это IP-адрес, на который должен направляться весь входящий трафик. Чтобы включить это, добавьте его в зону DNS, которой вы управляете, например, как example.your-domain.com.

Этот быстрый старт предполагает, что вы знаете, как назначить запись DNS для IP-адреса, и сделает это.

DNS zone enter image description here

domains.google.com enter image description here enter image description here enter image description here

Я могу $ curl -kivL -H 'Host: singh.hbot.dev' 'http://singh.hbot.dev' Вот вывод kuard

* Rebuilt URL to: http://singh.hbot.dev/
*   Trying 35.247.160.2...
* TCP_NODELAY set
* Connected to singh.hbot.dev (35.247.160.2) port 80 (#0)
> GET / HTTP/1.1
> Host: singh.hbot.dev
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
HTTP/1.1 308 Permanent Redirect
< Server: nginx/1.15.8
Server: nginx/1.15.8
< Date: Thu, 14 Mar 2019 08:59:24 GMT
Date: Thu, 14 Mar 2019 08:59:24 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 171
Content-Length: 171
< Connection: keep-alive
Connection: keep-alive
< Location: https://singh.hbot.dev/
Location: https://singh.hbot.dev/

<
* Ignoring the response-body
* Connection #0 to host singh.hbot.dev left intact
* Issue another request to this URL: 'https://singh.hbot.dev/'
*   Trying 35.247.160.2...
* TCP_NODELAY set
* Connected to singh.hbot.dev (35.247.160.2) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  start date: Mar 14 08:22:58 2019 GMT
*  expire date: Mar 13 08:22:58 2020 GMT
*  issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fdf3000e200)
> GET / HTTP/2
> Host: singh.hbot.dev
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
HTTP/2 200
< server: nginx/1.15.8
server: nginx/1.15.8
< date: Thu, 14 Mar 2019 08:59:24 GMT
date: Thu, 14 Mar 2019 08:59:24 GMT
< content-type: text/html
content-type: text/html
< content-length: 1689
content-length: 1689
< vary: Accept-Encoding
vary: Accept-Encoding
< strict-transport-security: max-age=15724800; includeSubDomains
strict-transport-security: max-age=15724800; includeSubDomains

<
<!doctype html>

<html lang="en">
<head>
  <meta charset="utf-8">

  <title>KUAR Demo</title>

  <link rel="stylesheet" href="/static/css/bootstrap.min.css">
  <link rel="stylesheet" href="/static/css/styles.css">

  <script>
var pageContext = {"hostname":"kuard-79b5d46779-5slz8","addrs":["10.48.2.20"],"version":"v0.8.1-1","versionColor":"hsl(18,100%,50%)","requestDump":"GET / HTTP/1.1\r\nHost: singh.hbot.dev\r\nAccept: */*\r\nUser-Agent: curl/7.54.0\r\nX-Forwarded-For: 10.148.0.49\r\nX-Forwarded-Host: singh.hbot.dev\r\nX-Forwarded-Port: 443\r\nX-Forwarded-Proto: https\r\nX-Original-Uri: /\r\nX-Real-Ip: 10.148.0.49\r\nX-Request-Id: ba73c8e44498c36480ea0d4164279561\r\nX-Scheme: https","requestProto":"HTTP/1.1","requestAddr":"10.48.2.18:41748"}
  </script>
</head>


<svg style="position: absolute; width: 0; height: 0; overflow: hidden;" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<defs>
<symbol id="icon-power" viewBox="0 0 32 32">
<title>power</title>
<path class="path1" d="M12 0l-12 16h12l-8 16 28-20h-16l12-12z"></path>
</symbol>
<symbol id="icon-notification" viewBox="0 0 32 32">
<title>notification</title>
<path class="path1" d="M16 3c-3.472 0-6.737 1.352-9.192 3.808s-3.808 5.72-3.808 9.192c0 3.472 1.352 6.737 3.808 9.192s5.72 3.808 9.192 3.808c3.472 0 6.737-1.352 9.192-3.808s3.808-5.72 3.808-9.192c0-3.472-1.352-6.737-3.808-9.192s-5.72-3.808-9.192-3.808zM16 0v0c8.837 0 16 7.163 16 16s-7.163 16-16 16c-8.837 0-16-7.163-16-16s7.163-16 16-16zM14 22h4v4h-4zM14 6h4v12h-4z"></path>
</symbol>
</defs>
</svg>

<body>
  <div id="root"></div>
  <script src="/built/bundle.js" type="text/javascript"></script>
</body>
</html>
* Connection #1 to host singh.hbot.dev left intact

Перейти к следующим шагам

$ kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml

customresourcedefinition.apiextensions.k8s.io/certificates.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/challenges.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/issuers.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/orders.certmanager.k8s.io created
$
$ kubectl apply \
>    -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml

customresourcedefinition.apiextensions.k8s.io/certificates.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/challenges.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/clusterissuers.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/issuers.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/orders.certmanager.k8s.io configured
$
$ kubectl label namespace cert-manager certmanager.k8s.io/disable-validation="true"

namespace/cert-manager labeled
$
$ helm repo add jetstack https://charts.jetstack.io
"jetstack" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Skip local chart repository
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈

install cert-manager

$ helm install --name cert-manager --namespace cert-manager jetstack/cert-manager
NAME:   cert-manager
LAST DEPLOYED: Thu Mar 14 16:06:48 2019
NAMESPACE: cert-manager
STATUS: DEPLOYED

RESOURCES:
==> v1/ClusterRole
NAME                                    AGE
cert-manager-edit                       3s
cert-manager-view                       3s
cert-manager-webhook:webhook-requester  3s

==> v1/Pod(related)
NAME                                      READY  STATUS             RESTARTS  AGE
cert-manager-6f68b58796-w44tn             0/1    ContainerCreating  0         3s
cert-manager-cainjector-67b4696847-l2lhb  0/1    ContainerCreating  0         3s
cert-manager-webhook-6f58884b96-gh52r     0/1    ContainerCreating  0         3s

==> v1/Service
NAME                  TYPE       CLUSTER-IP    EXTERNAL-IP  PORT(S)  AGE
cert-manager-webhook  ClusterIP  10.51.250.12  <none>       443/TCP  3s

==> v1/ServiceAccount
NAME                     SECRETS  AGE
cert-manager             1        3s
cert-manager-cainjector  1        3s
cert-manager-webhook     1        3s

==> v1alpha1/Certificate
NAME                              AGE
cert-manager-webhook-ca           3s
cert-manager-webhook-webhook-tls  3s

==> v1alpha1/Issuer
NAME                           AGE
cert-manager-webhook-ca        2s
cert-manager-webhook-selfsign  3s

==> v1beta1/APIService
NAME                                  AGE
v1beta1.admission.certmanager.k8s.io  3s

==> v1beta1/ClusterRole
NAME                     AGE
cert-manager             3s
cert-manager-cainjector  3s

==> v1beta1/ClusterRoleBinding
NAME                                 AGE
cert-manager                         3s
cert-manager-cainjector              3s
cert-manager-webhook:auth-delegator  3s

==> v1beta1/Deployment
NAME                     READY  UP-TO-DATE  AVAILABLE  AGE
cert-manager             0/1    1           0          3s
cert-manager-cainjector  0/1    1           0          3s
cert-manager-webhook     0/1    1           0          3s

==> v1beta1/RoleBinding
NAME                                                AGE
cert-manager-webhook:webhook-authentication-reader  3s

==> v1beta1/ValidatingWebhookConfiguration
NAME                  AGE
cert-manager-webhook  2s


NOTES:
cert-manager has been deployed successfully!

In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).

More information on the different types of issuers and how to configure them
can be found in our documentation:

https://docs.cert-manager.io/en/latest/reference/issuers.html

For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:

https://docs.cert-manager.io/en/latest/reference/ingress-shim.html

Применить изменения staging-issuer.yaml and production-issuer.yaml.

$ kubectl apply -f staging-issuer.yaml
issuer.certmanager.k8s.io/letsencrypt-staging created
$ kubectl apply -f production-issuer.yaml
issuer.certmanager.k8s.io/letsencrypt-prod created

Отредактируйте мой ingress.yaml и примените его с помощью

    kubernetes.io/ingress.class: "nginx"    
    certmanager.k8s.io/issuer: "letsencrypt-staging"
    certmanager.k8s.io/acme-challenge-type: http01

Я нашел certificate, но когда я describe, он Events равен none!

$ kubectl get certificate
NAME
quickstart-example-tls
$ kubectl describe certificate quickstart-example-tls
Name:         quickstart-example-tls
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2019-03-14T09:17:11Z
  Generation:          1
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  kuard
    UID:                   f30e819b-4639-11e9-a2d5-42010a9400fd
  Resource Version:        2243137
  Self Link:               /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/quickstart-example-tls
  UID:                     f311c99d-4639-11e9-a2d5-42010a9400fd
Spec:
  Acme:
    Config:
      Domains:
        singh.hbot.dev
      Http 01:
        Ingress Class:  nginx
  Dns Names:
    singh.hbot.dev
  Issuer Ref:
    Kind:       Issuer
    Name:       letsencrypt-staging
  Secret Name:  quickstart-example-tls
Status:
  Conditions:
    Last Transition Time:  2019-03-14T09:17:11Z
    Message:               Certificate is up to date and has not expired
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2019-06-12T08:16:05Z
Events:                    <none>

Тогда я проверяю secret. В документах написано

После завершения cert-manager создаст секрет с деталями сертификата на основе секрета, использованного во входном ресурсе. Вы также можете использовать команду описать, чтобы увидеть некоторые детали:

Хотя у меня нет ca.crt. Я решил идти дальше.

$ kubectl get secret
NAME                                   TYPE                                  DATA   AGE
default-token-vnngd                    kubernetes.io/service-account-token   3      10d
letsencrypt-prod                       Opaque                                1      3d1h
letsencrypt-staging                    Opaque                                1      3d1h
quickstart-example-tls                 kubernetes.io/tls                     3      3d1h
quickstart-nginx-ingress-token-c4tjk   kubernetes.io/service-account-token   3      58m
singh-dev-staging-tls                  kubernetes.io/tls                     3      21h
singh-secret                           kubernetes.io/tls                     3      22h
$ kubectl describe secret quickstart-example-tls
Name:         quickstart-example-tls
Namespace:    default
Labels:       certmanager.k8s.io/certificate-name=quickstart-example-tls
Annotations:  certmanager.k8s.io/alt-names: singh.hbot.dev
              certmanager.k8s.io/common-name: singh.hbot.dev
              certmanager.k8s.io/ip-sans:
              certmanager.k8s.io/issuer-kind: Issuer
              certmanager.k8s.io/issuer-name: letsencrypt-staging

Type:  kubernetes.io/tls

Data
====
tls.key:  1675 bytes
ca.crt:   0 bytes
tls.crt:  3545 bytes

Измените ingress.yaml на production и apply.

sixteen:cert-mgr hellohbot$ kubectl apply -f ingress.yaml
ingress.extensions/kuard created

Удалить secret

sixteen:cert-mgr hellohbot$ kubectl delete secret quickstart-example-tls
secret "quickstart-example-tls" deleted
sixteen:cert-mgr hellohbot$ kubectl get certificate
NAME
quickstart-example-tls
sixteen:cert-mgr hellohbot$ kubectl describe certificate quickstart-example-tls
Name:         quickstart-example-tls
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2019-03-14T09:32:45Z
  Generation:          1
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  kuard
    UID:                   1fab9656-463c-11e9-a2d5-42010a9400fd
  Resource Version:        2246373
  Self Link:               /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/quickstart-example-tls
  UID:                     1facf771-463c-11e9-a2d5-42010a9400fd
Spec:
  Acme:
    Config:
      Domains:
        singh.hbot.dev
      Http 01:
        Ingress Class:  nginx
  Dns Names:
    singh.hbot.dev
  Issuer Ref:
    Kind:       Issuer
    Name:       letsencrypt-staging
  Secret Name:  quickstart-example-tls
Status:
  Conditions:
    Last Transition Time:  2019-03-14T09:34:06Z
    Message:               Certificate is up to date and has not expired
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2019-06-12T08:34:04Z
Events:
  Type    Reason              Age   From          Message
  ----    ------              ----  ----          -------
  Normal  Generated           33s   cert-manager  Generated new private key
  Normal  GenerateSelfSigned  33s   cert-manager  Generated temporary self signed certificate
  Normal  OrderCreated        33s   cert-manager  Created Order resource "quickstart-example-tls-1671619353"
  Normal  OrderComplete       6s    cert-manager  Order "quickstart-example-tls-1671619353" completed successfully
  Normal  CertIssued          6s    cert-manager  Certificate issued successfully

Чек order

$ kubectl describe order quickstart-example-tls-1671619353
Name:         quickstart-example-tls-1671619353
Namespace:    default
Labels:       acme.cert-manager.io/certificate-name=quickstart-example-tls
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Order
Metadata:
  Creation Timestamp:  2019-03-14T09:33:39Z
  Generation:          1
  Owner References:
    API Version:           certmanager.k8s.io/v1alpha1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Certificate
    Name:                  quickstart-example-tls
    UID:                   1facf771-463c-11e9-a2d5-42010a9400fd
  Resource Version:        2246369
  Self Link:               /apis/certmanager.k8s.io/v1alpha1/namespaces/default/orders/quickstart-example-tls-1671619353
  UID:                     3fd25e87-463c-11e9-a2d5-42010a9400fd
Spec:
  Config:
    Domains:
      singh.hbot.dev
    Http 01:
      Ingress Class:  nginx
  Csr:                MIIC...RQ8=
  Dns Names:
    singh.hbot.dev
  Issuer Ref:
    Kind:  Issuer
    Name:  letsencrypt-staging
Status:
  Certificate:  LS0t...LQo=
  Challenges:
    Authz URL:  https://acme-staging-v02.api.letsencrypt.org/acme/authz/CkYZY5sWsaEq0uI2l1D2yyQwAjA1kl0_1uFsVY7UDqk
    Config:
      Http 01:
        Ingress Class:  nginx
    Dns Name:           singh.hbot.dev
    Issuer Ref:
      Kind:      Issuer
      Name:      letsencrypt-staging
    Key:         tRxDXBXr_CYcEX1KzU9puQKg1pVZdmEXi7jGWyPAvTs.-kMH8oyhdhqKbua2D8gLPi8FxbeW7rYKBB6w1gMRw2w
    Token:       tRxDXBXr_CYcEX1KzU9puQKg1pVZdmEXi7jGWyPAvTs
    Type:        http-01
    URL:         https://acme-staging-v02.api.letsencrypt.org/acme/challenge/CkYZY5sWsaEq0uI2l1D2yyQwAjA1kl0_1uFsVY7UDqk/270336074
    Wildcard:    false
  Finalize URL:  https://acme-staging-v02.api.letsencrypt.org/acme/finalize/8521062/26692657
  State:         valid
  URL:           https://acme-staging-v02.api.letsencrypt.org/acme/order/8521062/26692657
Events:
  Type    Reason      Age    From          Message
  ----    ------      ----   ----          -------
  Normal  Created     4m27s  cert-manager  Created Challenge resource "quickstart-example-tls-1671619353-0" for domain "singh.hbot.dev"
  Normal  OrderValid  4m     cert-manager  Order completed successfully

Решение: Благодаря Harsh Manvar

Подтвердите мой issuer URL из запущенного issuer

$ kubectl get issuer letsencrypt-prod -o yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Issuer","metadata":{"annotations":{},"name":"letsencrypt-prod","namespace":"default"},"spec":{"acme":{"email":"contact@hbot.io","http01":{},"privateKeySecretRef":{"name":"letsencrypt-prod"},"server":"https://acme-v02.api.letsencrypt.org/directory"}}}
  creationTimestamp: "2019-03-14T09:12:11Z"
  generation: 1
  name: letsencrypt-prod
  namespace: default
  resourceVersion: "2242148"
  selfLink: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/issuers/letsencrypt-prod
  uid: 405fa7af-4639-11e9-a2d5-42010a9400fd
spec:
  acme:
    email: contact@hbot.io
    http01: {}
    privateKeySecretRef:
      name: letsencrypt-prod
    server: https://acme-v02.api.letsencrypt.org/directory
status:
  acme:
    uri: https://acme-v02.api.letsencrypt.org/acme/acct/53068205
  conditions:
  - lastTransitionTime: "2019-03-14T09:12:12Z"
    message: The ACME account was registered with the ACME server
    reason: ACMEAccountRegistered
    status: "True"
    type: Ready

Проверьте мой ingress

$ kubectl get ingress --all-namespaces
NAMESPACE   NAME    HOSTS            ADDRESS         PORTS     AGE
default     kuard   singh.hbot.dev   35.198.217.71   80, 443   43m
$ kubectl describe ingress
Name:             kuard
Namespace:        default
Address:          35.198.217.71
Default backend:  default-http-backend:80 (10.48.0.7:8080)
TLS:
  quickstart-example-tls terminates singh.hbot.dev
Rules:
  Host            Path  Backends
  ----            ----  --------
  singh.hbot.dev
                  /   kuard:80 (<none>)
Annotations:
  certmanager.k8s.io/acme-challenge-type:            http01
  certmanager.k8s.io/issuer:                         letsencrypt-prod
  kubectl.kubernetes.io/last-applied-configuration:  {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"certmanager.k8s.io/acme-challenge-type":"http01","certmanager.k8s.io/issuer":"letsencrypt-prod","kubernetes.io/ingress.class":"nginx"},"name":"kuard","namespace":"default"},"spec":{"rules":[{"host":"singh.hbot.dev","http":{"paths":[{"backend":{"serviceName":"kuard","servicePort":80},"path":"/"}]}}],"tls":[{"hosts":["singh.hbot.dev"],"secretName":"quickstart-example-tls"}]}}

  kubernetes.io/ingress.class:  nginx
Events:
  Type    Reason             Age                From                      Message
  ----    ------             ----               ----                      -------
  Normal  CREATE             43m                nginx-ingress-controller  Ingress default/kuard
  Normal  CreateCertificate  43m                cert-manager              Successfully created Certificate "quickstart-example-tls"
  Normal  UPDATE             10m (x2 over 43m)  nginx-ingress-controller  Ingress default/kuard
  Normal  UpdateCertificate  10m                cert-manager              Successfully updated Certificate "quickstart-example-tls"

Изменить issuer на prod

sixteen:cert-mgr hellohbot$ kubectl apply -f ingress.yaml
ingress.extensions/kuard configured

Удалите старый secret, чтобы запустить процесс.

sixteen:cert-mgr hellohbot$ kubectl get secret
NAME                                   TYPE                                  DATA   AGE
default-token-vnngd                    kubernetes.io/service-account-token   3      10d
letsencrypt-prod                       Opaque                                1      3d2h
letsencrypt-staging                    Opaque                                1      3d2h
quickstart-example-tls                 kubernetes.io/tls                     3      33m
quickstart-nginx-ingress-token-c4tjk   kubernetes.io/service-account-token   3      103m
singh-dev-staging-tls                  kubernetes.io/tls                     3      21h
singh-secret                           kubernetes.io/tls                     3      23h
sixteen:cert-mgr hellohbot$ kubectl delete secret quickstart-example-tls
secret "quickstart-example-tls" deleted

Проверьте новый certificate

sixteen:cert-mgr hellohbot$ kubectl get certificate
NAME
quickstart-example-tls
sixteen:cert-mgr hellohbot$ kubectl describe  certificate
Name:         quickstart-example-tls
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2019-03-14T09:32:45Z
  Generation:          1
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  kuard
    UID:                   1fab9656-463c-11e9-a2d5-42010a9400fd
  Resource Version:        2252545
  Self Link:               /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/quickstart-example-tls
  UID:                     1facf771-463c-11e9-a2d5-42010a9400fd
Spec:
  Acme:
    Config:
      Domains:
        singh.hbot.dev
      Http 01:
        Ingress Class:  nginx
  Dns Names:
    singh.hbot.dev
  Issuer Ref:
    Kind:       Issuer
    Name:       letsencrypt-prod
  Secret Name:  quickstart-example-tls
Status:
  Conditions:
    Last Transition Time:  2019-03-14T10:06:53Z
    Message:               Certificate issuance in progress. Temporary certificate issued.
    Reason:                TemporaryCertificate
    Status:                False
    Type:                  Ready
Events:
  Type    Reason              Age                From          Message
  ----    ------              ----               ----          -------
  Normal  OrderCreated        33m                cert-manager  Created Order resource "quickstart-example-tls-1671619353"
  Normal  OrderComplete       33m                cert-manager  Order "quickstart-example-tls-1671619353" completed successfully
  Normal  CertIssued          33m                cert-manager  Certificate issued successfully
  Normal  Generated           19s (x2 over 33m)  cert-manager  Generated new private key
  Normal  GenerateSelfSigned  19s (x2 over 33m)  cert-manager  Generated temporary self signed certificate
  Normal  Cleanup             19s                cert-manager  Deleting old Order resource "quickstart-example-tls-1671619353"
  Normal  OrderCreated        19s                cert-manager  Created Order resource "quickstart-example-tls-2367785339"

1 Ответ

1 голос
/ 14 марта 2019

на входе вы используете эмитента, так как letsencrypt-staging измените его на производственный, а также измените tls-secrets, он будет работать

Рабочий URL для зашифрованного эмитента: https://acme -v02.api.letsencrypt.org/directory

в издателе, который вы использовали, промежуточный URL промежуточного сервера Let's Encypt, измените его на рабочий URL и снова попробуйте получить tls.cert и ключ, который будет работать с https://

промежуточный сертификат иногда не работает с https и браузер выдает ошибку, это для целей тестирования.

cert-manager и nginx ingress и другие вещи выглядят идеально, как и должно быть.

...