Kubernetes cert-manager不能访问letsencrypt API服务器。

Question

我正试图在我的迷你库集群上安装证书管理器v0.13.0。我跟踪了他们的教程，但似乎证书管理器pod一直在超时，试图访问LetsEncrypt API服务器：

$ kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/v0.13.0/deploy/manifests/00-crds.yaml
$ kubectl create namespace cert-manager
$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update
$ helm install cert-manager --namespace cert-manager --version v0.13.0 jetstack/cert-manager

这是我的快乐yaml：

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: xx@yyy.com
    privateKeySecretRef:
      name: my-issuer-account-key
    solvers:
      - dns01:
          cloudflare:
            email: xx@yyy.com
            apiKeySecretRef:
              name: cloudflare-api-token-secret
              key: api-token    

证书管理器结束符日志显示超时：

I0209 20:43:34.382250       1 logger.go:90] Calling GetAccount
E0209 20:43:39.384093       1 setup.go:208] cert-manager/controller/clusterissuers "msg"="failed to verify ACME account" "error"="Get https://acme-staging-v02.api.letsencrypt.com/directory: dial tcp 192.64.119.254:443: i/o timeout" "related_resource_kind"="Secret" "related_resource_name"="my-issuer-account-key" "related_resource_namespace"="cert-manager" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt" "resource_namespace"="" 
E0209 20:43:39.385555       1 sync.go:81] cert-manager/controller/clusterissuers "msg"="error setting up issuer" "error"="Get https://acme-staging-v02.api.letsencrypt.com/directory: dial tcp 192.64.119.254:443: i/o timeout" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt" "resource_namespace"="" 
E0209 20:43:39.389659       1 controller.go:131] cert-manager/controller/clusterissuers "msg"="re-queuing item  due to error processing" "error"="Get https://acme-staging-v02.api.letsencrypt.com/directory: dial tcp 192.64.119.254:443: i/o timeout" "key"="letsencrypt" 

因此，我设置了一个bash来检查API的可达性，并且似乎没有问题：

$ kubectl run my-shell -n cert-manager --rm -i --tty --image ubuntu -- bash
$ apt-get update -y
$ apt-get install -y curl
$ https://acme-staging-v02.api.letsencrypt.org/directory

{
"xxxxxxxxx": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
"meta": {
    "caaIdentities": [
    "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
},
"newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}

更新:根据请求，下面是bash中的/etc/rupve.conf文件：

nameserver 10.96.0.10
search cert-manager.svc.cluster.local svc.cluster.local cluster.local
options ndots:5

但是我不知道如何从证书管理器中获取相同的文件，因为它不允许我打开/bin/sh或/bin/bash。

我不知道为什么会出现超时。有什么想法吗？

Answer 1

您提到了acme-staging-v02.api.letsencrypt.org/directory的acme服务器，但请求似乎是对acme-staging-v02.api.letsencrypt.com/directory完成的。有一个区别的.com和.org。请使用以下命令检查您的clusterissuer yaml：

kubectl get clusterissuer letsencrypt -o yaml

如果您在yaml上添加了错误的url，则始终可以删除该集群颁发程序，然后再次创建。