CertManager LetsEncrypt证书请求&无法执行自检GET请求&

本文介绍了CertManager LetsEncrypt证书请求&无法执行自检GET请求&的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

Waiting for http-01 challenge propagation: failed to perform self check GET request，类似于此错误github/jetstack/cert-manager/issues/656 但是来自GitHub票证评论的所有解决方案都没有帮助。

我正在尝试按照本教程中的说明在DigitalOcean上设置CertManager： 我没有收到任何错误，但来自CertManager的请求处于挂起状态等待的时间超过40小时。

我已经成功地用Nginx配置了Inress，然后我创建了一个命名空间并创建了CertManagerCRD：

$ kubectl create namespace cert-manager $ kubectl apply --validate=false -f github/jetstack/cert-manager/releases/download/v0.12.0/cert-manager.yaml

我可以如期看到所有CertManagerPod：

$ kubectl get pods --namespace cert-manager NAME READY STATUS RESTARTS AGE cert-manager-5c47f46f57-gxhwv 1/1 Running 0 42h cert-manager-cainjector-6659d6844d-xp75s 1/1 Running 0 42h cert-manager-webhook-547567b88f-k4dv2 1/1 Running 0 42h

然后我创建了暂存颁发者：

--- apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: name: letsencrypt-staging namespace: cert-manager spec: acme: server: acme-staging-v02.api.letsencrypt/directory email: some@email.here privateKeySecretRef: name: letsencrypt-staging solvers: - http01: ingress: class: nginx

和更新的入口配置：

--- apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: echo-ingress annotations: kubernetes.io/ingress.class: "nginx" # cert-manager.io/cluster-issuer: "letsencrypt-prod" cert-manager.io/cluster-issuer: "letsencrypt-staging" spec: tls: - hosts: - echo.some.domain secretName: ingress-tls rules: - host: echo.some.domain http: paths: - backend: serviceName: echo1 servicePort: 80

但之后，CertManager未更新证书，正在InProgress状态等待：

$ date Wed 18 Dec 2019 01:58:08 PM MSK $ kubectl describe cert ... Status: Conditions: Last Transition Time: 2019-12-16T17:23:56Z Message: Waiting for CertificateRequest "ingress-tls-1089568541" to complete Reason: InProgress Status: False Type: Ready Events: <none>

不是将Fake LE Intermediate X1用作CN，而是返回CN=Kubernetes Ingress Controller Fake Certificate,O=Acme Co

$ kubectl describe CertificateRequest Status: Conditions: Last Transition Time: 2019-12-16T17:50:05Z Message: Waiting on certificate issuance from order default/ingress-tls-1089568541-1576201144: "pending" Reason: Pending Status: False Type: Ready Events: <none>

CertManager可能出现什么问题以及如何修复？

更新：

入口日志包含以下错误：

$ kubectl -n ingress-nginx logs nginx-ingress-controller-7754db565c-g557h I1218 17:24:30.331127 6 status.go:295] updating Ingress default/cm-acme-http-solver-4dkdn status from [] to [{xxx.xxx.xxx.xxx }] I1218 17:24:30.333250 6 status.go:295] updating Ingress default/cm-acme-http-solver-9dpqc status from [] to [{xxx.xxx.xxx.xxx }] I1218 17:24:30.341292 6 event.go:209] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cm-acme-http-solver-4dkdn", UID:"2e523b74-8bbb-41c7-be8a-44d8db8abd6e", APIVersion:"extensions/v1beta1", ResourceVersion:"722472", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress default/cm-acme-http-solver-4dkdn I1218 17:24:30.344340 6 event.go:209] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cm-acme-http-solver-9dpqc", UID:"b574a3b6-6c5b-4266-a4e2-6ff2de2d78e0", APIVersion:"extensions/v1beta1", ResourceVersion:"722473", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress default/cm-acme-http-solver-9dpqc W1218 17:24:30.442276 6 controller.go:1042] Error getting SSL certificate "default/ingress-tls": local SSL certificate default/ingress-tls was not found. Using default certificate W1218 17:24:30.442950 6 controller.go:1042] Error getting SSL certificate "default/ingress-tls": local SSL certificate default/ingress-tls was not found. Using default certificate W1218 17:24:33.775476 6 controller.go:1042] Error getting SSL certificate "default/ingress-tls": local SSL certificate default/ingress-tls was not found. Using default certificate W1218 17:24:33.775956 6 controller.go:1042] Error getting SSL certificate "default/ingress-tls": local SSL certificate default/ingress-tls was not found. Using default certificate

更新2：

ingress-tls的密码如期可用：

$ kubectl get secret ingress-tls -o yaml apiVersion: v1 data: ca.crt: "" tls.crt: "" tls.key: <secret-key-data-base64-encoded> kind: Secret metadata: annotations: cert-manager.io/certificate-name: ingress-tls cert-manager.io/issuer-kind: ClusterIssuer cert-manager.io/issuer-name: letsencrypt-staging creationTimestamp: "2019-12-16T17:23:56Z" name: ingress-tls namespace: default resourceVersion: "328801" selfLink: /api/v1/namespaces/default/secrets/ingress-tls uid: 5d640b66-1572-44a1-94e4-6d85a73bf21c type: kubernetes.io/tls

更新3：

我发现cert-managerPod出现故障，日志为：

E1219 11:06:08.294011 1 sync.go:184] cert-manager/controller/challenges "msg"="propagation check failed" "error"="failed to perform self check GET request '<some.domain>/.well-known/acme-challenge/<some-path>': Get <some.domain>/.well-known/acme-challenge/<some-path>: dial tcp xxx.xxx.xxx.xxx:80: connect: connection timed out" "dnsName"="<some.domain>" "resource_kind"="Challenge" "resource_name"="ingress-tls-1089568541-1576201144-1086699008" "resource_namespace"="default" "type"="http-01"

质询状态：

$ kubectl describe challenge ingress-tls-1089568541-1576201144-471532423 Name: ingress-tls-1089568541-1576201144-471532423 Namespace: default Labels: <none> Annotations: <none> API Version: acme.cert-manager.io/v1alpha2 Kind: Challenge Metadata: Creation Timestamp: 2019-12-19T11:32:19Z Finalizers: finalizer.acme.cert-manager.io Generation: 1 Owner References: API Version: acme.cert-manager.io/v1alpha2 Block Owner Deletion: true Controller: true Kind: Order Name: ingress-tls-1089568541-1576201144 UID: 7d19d86f-0b56-4756-aa20-bb85caf80b9e Resource Version: 872062 Self Link: /apis/acme.cert-manager.io/v1alpha2/namespaces/default/challenges/ingress-tls-1089568541-1576201144-471532423 UID: 503a8b4e-dc60-4080-91d9-2847815af1cc Spec: Authz URL: acme-staging-v02.api.letsencrypt/acme/authz-v3/123456 Dns Name: <domain> Issuer Ref: Group: cert-manager.io Kind: ClusterIssuer Name: letsencrypt-staging Key: <key> Solver: http01: Ingress: Class: nginx Token: <token> Type: http-01 URL: acme-staging-v02.api.letsencrypt/acme/chall-v3/12345/abc Wildcard: false Status: Presented: true Processing: true Reason: Waiting for http-01 challenge propagation: failed to perform self check GET request '<domain>/.well-known/acme-challenge/<token>': Get <domain>/.well-known/acme-challenge/<token>: dial tcp xxx.xxx.xxx.xxx:80: connect: connection timed out State: pending Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Started 4m28s cert-manager Challenge scheduled for processing Normal Presented 4m28s cert-manager Presented challenge using http-01 challenge mechanism 我尝试删除质询以重新触发它，但在一到两分钟后失败，并出现相同的错误。我检查了我可以从集群节点访问质询URL(使用kubectl run -it ...和wget <domain>/.well-known/acme-challenge/<token>从新Pod内部。

推荐答案

这可能值得一看。我遇到了类似的Connection Timeout

问题

在ingress-nginx服务中更改LoadBalancer。

添加/更改externalTrafficPolicy: Cluster。

原因是，证书颁发者的Pod与负载均衡器在不同的节点上，因此它无法通过入口与自己交谈。

下面是摘自raw.githubusercontent/kubernetes/ingress-nginx/nginx-0.26.1/deploy/static/provider/cloud-generic.yaml

的完整块 kind: Service apiVersion: v1 metadata: name: ingress-nginx namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx spec: #CHANGE/ADD THIS externalTrafficPolicy: Cluster type: LoadBalancer selector: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx ports: - name: http port: 80 targetPort: http - name: https port: 443 targetPort: https ---