kubernetes Cert-Manager LetsEncrypt证书未就绪

enyaitl3  于 2023-08-03  发布在  Kubernetes
关注(0)|答案(1)|浏览(101)

我正在尝试使用以下内容为LetsEncrypt证书设置Cert-Manager
已部署得证书管理器:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml

字符串
然后我创造了

---

apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
  name: prod-cert-tabv
  namespace: cert-manager
  annotations:
    kubed.appscode.com/sync: ""
data:
  ca.crt: ''
  tls.crt: ''
  tls.key: ''

---

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-tabv
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: Devops@example.com
    privateKeySecretRef:
      name: prod-cert-tabv
    solvers:
    - dns01:
        route53:
          region: us-west-2
          hostedZoneID: ####
          accessKeyID: ####
          secretAccessKeySecretRef:
            name: aws-secret
            key: secret_key
      selector:
          dnsZones:
            - "tabv.io"

---

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: prod-cert-tabv
  namespace: cert-manager
spec:
  commonName: '*.tabv.io'
  secretName: prod-cert-tabv
  dnsNames:
    - 'tabv.io'
    - '*.tabv.io'
  issuerRef:
    name: letsencrypt-tabv
    kind: ClusterIssuer
    group: cert-manager.io

---


但注意到

证书:

user@mbp tabv % kubectl -n cert-manager get certificate prod-cert-tabv
NAME              READY   SECRET            AGE
prod-cert-tabv   False   prod-cert-tabv   170m

user@lc-mbp-09 tabv % kubectl -n cert-manager describe certificate prod-cert-tabv
Name:         prod-cert-tabv
Namespace:    cert-manager
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2023-07-31T19:23:30Z
  Generation:          1
  Resource Version:    464690336
  UID:                 f9c5b1b3-f825-4595-8a0a-ad86ed483015
Spec:
  Common Name:  *.tabv.io
  Dns Names:
    *.tabv.io
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       ClusterIssuer
    Name:       letsencrypt-tabv
  Secret Name:  prod-cert-tabv
Status:
  Conditions:
    Last Transition Time:        2023-07-31T19:23:30Z
    Message:                     Issuing certificate as Secret does not contain a private key
    Observed Generation:         1
    Reason:                      MissingData
    Status:                      True
    Type:                        Issuing
    Last Transition Time:        2023-07-31T19:23:30Z
    Message:                     Issuing certificate as Secret does not contain a private key
    Observed Generation:         1
    Reason:                      MissingData
    Status:                      False
    Type:                        Ready
  Next Private Key Secret Name:  prod-cert-tabv-6tkxg
Events:                          <none>

证书请求

user@lc-mbp-09 tabv % kubectl -n cert-manager get certificaterequest prod-cert-tabv-tfqq7
NAME                    APPROVED   DENIED   READY   ISSUER              REQUESTOR                                         AGE
prod-cert-tabv-tfqq7   True                False   letsencrypt-tabv   system:serviceaccount:cert-manager:cert-manager   171m
user@lc-mbp-09 tabv % kubectl -n cert-manager describe certificaterequest prod-cert-tabv-tfqq7
Name:         prod-cert-tabv-tfqq7
Namespace:    cert-manager
Labels:       <none>
Annotations:  cert-manager.io/certificate-name: prod-cert-tabv
              cert-manager.io/certificate-revision: 1
              cert-manager.io/private-key-secret-name: prod-cert-tabv-6tkxg
API Version:  cert-manager.io/v1
Kind:         CertificateRequest
Metadata:
  Creation Timestamp:  2023-07-31T19:23:30Z
  Generate Name:       prod-cert-tabv-
  Generation:          1
  Owner References:
    API Version:           cert-manager.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Certificate
    Name:                  prod-cert-tabv
    UID:                   f9c5b1b3-f825-4595-8a0a-ad86ed483015
  Resource Version:        464690347
  UID:                     5c3601db-0a03-40fc-94d4-5890d52d26b2
Spec:
  Extra:
    authentication.kubernetes.io/pod-name:
      cert-manager-67459fb8df-rhwwm
    authentication.kubernetes.io/pod-uid:
      26929c44-246b-4d84-9612-32cb25d92b6f
  Groups:
    system:serviceaccounts
    system:serviceaccounts:cert-manager
    system:authenticated
  Issuer Ref:
    Group:   cert-manager.io
    Kind:    ClusterIssuer
    Name:    letsencrypt-tabv
  Request:   LS0tLS1CRUdJbDIwWUJ5dXcyVmhselV0aEM5U0Q0OU1vZDdHbEtvNWRWQ3FvVTM3Q3FhZDQ2OTFTSEpxcHY2SgpsN0tjSVEvNEV4K0RsWHBlYjBBR2xBTTl6T3lxTmdZU3ppUDVyNFhsN0pTa2hZY1hsVWlrOVRVZng0cWp1RzRWCkRla21STDd3ZHNoT29Ocyt0WThRZnRrT3F3M0FMMGNBeXVFeWV6ODdKL1p0anBTa3RxVklSc1FBd29tZFc4R1QKTE5ud3krUUVVcDQ0aDgzS042cm9YQndsVGcxR0crY1g2amtpUCswUTRja3lxandXekFlMnNMZFhGUDg5WVowawpIcGE4VnZWcjJJUWM3bStBMTJwVXJrdEM1c3V5QWpuNFI4ZGFsUmc4b3dCTlJmbz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
  UID:       55734729-8dbf-4188-a478-ac1c6aaf5067
  Username:  system:serviceaccount:cert-manager:cert-manager
Status:
  Conditions:
    Last Transition Time:  2023-07-31T19:23:30Z
    Message:               Certificate request has been approved by cert-manager.io
    Reason:                cert-manager.io
    Status:                True
    Type:                  Approved
    Last Transition Time:  2023-07-31T19:23:30Z
    Message:               Referenced issuer does not have a Ready status condition
    Reason:                Pending
    Status:                False
    Type:                  Ready
Events:                    <none>
user@lc-mbp-09 tabv %

证书管理器日志:

kubectl -n cert-manager logs -f cert-manager-67459fb8df-rhwwm
I0731 19:20:15.142767       1 secret_manager.go:94] "cert-manager/certificates-issuing: applying Secret data" key="cert-manager/qa-cert" resource_name="qa-cert" resource_namespace="cert-manager" resource_kind="Certificate" resource_version="v1" secret="qa-cert" message="missing base label controller.cert-manager.io/fao"
I0731 19:20:15.165330       1 secret_manager.go:94] "cert-manager/certificates-issuing: applying Secret data" key="cert-manager/staging-cert" resource_name="staging-cert" resource_namespace="cert-manager" resource_kind="Certificate" resource_version="v1" secret="staging-cert" message="missing base label controller.cert-manager.io/fao"
I0731 19:20:15.380020       1 setup.go:315] "cert-manager/clusterissuers: verified existing registration with ACME server" resource_name="letsencrypt" resource_namespace="" resource_kind="ClusterIssuer" resource_version="v1" related_resource_name="letsencrypt-key" related_resource_namespace="cert-manager" related_resource_kind="Secret"
I0731 19:20:15.729538       1 setup.go:208] "cert-manager/clusterissuers: skipping re-verifying ACME account as cached registration details look sufficient" resource_name="letsencrypt" resource_namespace="" resource_kind="ClusterIssuer" resource_version="v1" related_resource_name="letsencrypt-key" related_resource_namespace="cert-manager" related_resource_kind="Secret"
I0731 19:20:19.517306       1 setup.go:208] "cert-manager/clusterissuers: skipping re-verifying ACME account as cached registration details look sufficient" resource_name="letsencrypt" resource_namespace="" resource_kind="ClusterIssuer" resource_version="v1" related_resource_name="letsencrypt-key" related_resource_namespace="cert-manager" related_resource_kind="Secret"
I0731 19:22:39.289379       1 conditions.go:96] Setting lastTransitionTime for Issuer "letsencrypt-tabv" condition "Ready" to 2023-07-31 19:22:39.289359259 +0000 UTC m=+177.068327883
I0731 19:23:30.545678       1 trigger_controller.go:194] "cert-manager/certificates-trigger: Certificate must be re-issued" key="cert-manager/prod-cert-tabv" reason="MissingData" message="Issuing certificate as Secret does not contain a private key"
I0731 19:23:30.545719       1 conditions.go:203] Setting lastTransitionTime for Certificate "prod-cert-tabv" condition "Issuing" to 2023-07-31 19:23:30.545711456 +0000 UTC m=+228.324680084
I0731 19:23:30.546906       1 conditions.go:203] Setting lastTransitionTime for Certificate "prod-cert-tabv" condition "Ready" to 2023-07-31 19:23:30.546890651 +0000 UTC m=+228.325859278
I0731 19:23:30.580849       1 controller.go:162] "cert-manager/certificates-readiness: re-queuing item due to optimistic locking on resource" key="cert-manager/prod-cert-tabv" error="Operation cannot be fulfilled on certificates.cert-manager.io \"prod-cert-tabv\": the object has been modified; please apply your changes to the latest version and try again"
I0731 19:23:30.581084       1 conditions.go:203] Setting lastTransitionTime for Certificate "prod-cert-tabv" condition "Ready" to 2023-07-31 19:23:30.581074597 +0000 UTC m=+228.360043227
I0731 19:23:30.869832       1 controller.go:162] "cert-manager/certificates-key-manager: re-queuing item due to optimistic locking on resource" key="cert-manager/prod-cert-tabv" error="Operation cannot be fulfilled on certificates.cert-manager.io \"prod-cert-tabv\": the object has been modified; please apply your changes to the latest version and try again"
I0731 19:23:30.899007       1 conditions.go:263] Setting lastTransitionTime for CertificateRequest "prod-cert-tabv-tfqq7" condition "Approved" to 2023-07-31 19:23:30.898994272 +0000 UTC m=+228.677962898
I0731 19:23:30.918419       1 conditions.go:263] Setting lastTransitionTime for CertificateRequest "prod-cert-tabv-tfqq7" condition "Ready" to 2023-07-31 19:23:30.918395977 +0000 UTC m=+228.697364596
I0731 22:18:22.119057       1 requestmanager_controller.go:323] "cert-manager/certificates-request-manager: CertificateRequest does not match requirements on certificate.spec, deleting CertificateRequest" key="cert-manager/prod-cert-tabv" related_resource_name="prod-cert-tabv-tfqq7" related_resource_namespace="cert-manager" related_resource_kind="CertificateRequest" related_resource_version="v1" violations=[spec.dnsNames]
I0731 22:18:22.202577       1 conditions.go:263] Setting lastTransitionTime for CertificateRequest "prod-cert-tabv-r6kt7" condition "Approved" to 2023-07-31 22:18:22.199139896 +0000 UTC m=+10719.978108520
I0731 22:18:22.241112       1 conditions.go:263] Setting lastTransitionTime for CertificateRequest "prod-cert-tabv-r6kt7" condition "Ready" to 2023-07-31 22:18:22.240521605 +0000 UTC m=+10720.019490230


我在状态Referenced issuer does not have a Ready status condition中看到此消息
这是在EKS Version : v1.22.17-eks-a5565ad
我在这里错过了什么?

kubernetes

1条答案

按热度按时间
nwnhqdif

nwnhqdif1#

检查您的环境中是否使用了较新版本的证书管理器。在这种情况下,您的kubernetes版本和cert-manager版本之间可能不匹配,这可能会导致此问题。请参阅支持的版本,它可以帮助您确定支持的Kubernetes版本。

赞(0)分享  回复(0)举报  2023-08-03
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com