Kubernetes certbot独立工作
我试图在kubernetes中生成一个带有certbot/certbot停靠容器的SSL证书。我正为此目的使用控制器,这似乎是最合适的选择。当我运行独立选项时,会得到以下错误:
授权程序失败。staging.ishankhare.com (http-01):urn:ietf:params:acme:错误:连接::服务器无法连接到客户端以验证域::获取http://staging.ishankhare.com/.well-known/acme-challenge/tpumqbcDWudT7EBsgC7IvtSzZvMAuooQ3PmSPh9yng8:Timeout在连接期间(可能出现防火墙问题)
我已经通过运行一个简单的nginx容器来确保这不是由于配置错误的DNS条目造成的,并且它正确地解决了问题。以下是我的Jobs文件:
apiVersion: batch/v1
kind: Job
metadata:
#labels:
# app: certbot-generator
name: certbot
spec:
template:
metadata:
labels:
app: certbot-generate
spec:
volumes:
- name: certs
containers:
- name: certbot
image: certbot/certbot
command: ["certbot"]
#command: ["yes"]
args: ["certonly", "--noninteractive", "--agree-tos", "--staging", "--standalone", "-d", "staging.ishankhare.com", "-m", "me@ishankhare.com"]
volumeMounts:
- name: certs
mountPath: "/etc/letsencrypt/"
#- name: certs
#mountPath: "/opt/"
ports:
- containerPort: 80
- containerPort: 443
restartPolicy: "OnFailure"我的服务是:
apiVersion: v1
kind: Service
metadata:
name: certbot-lb
labels:
app: certbot-lb
spec:
type: LoadBalancer
loadBalancerIP: 35.189.170.149
ports:
- port: 80
name: "http"
protocol: TCP
- port: 443
name: "tls"
protocol: TCP
selector:
app: certbot-generator完整的错误消息如下所示:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for staging.ishankhare.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. staging.ishankhare.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://staging.ishankhare.com/.well-known/acme-challenge/tpumqbcDWudT7EBsgC7IvtSzZvMAuooQ3PmSPh9yng8: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: staging.ishankhare.com
Type: connection
Detail: Fetching
http://staging.ishankhare.com/.well-known/acme-challenge/tpumqbcDWudT7EBsgC7IvtSzZvMAuooQ3PmSPh9yng8:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.我也尝试过将它作为一个简单的Pod运行,但没有帮助。尽管我仍然觉得将它作为一个Job运行到完成是可行的。
回答 1
Stack Overflow用户
发布于 2018-11-20 18:30:20
首先,要注意您的Job定义是有效的,但是spec.template.metadata.labels.app: certbot-generate值与Service定义spec.selector.app: certbot-generator不匹配而不是:一个是certbot-generate,第二个是certbot-generator。因此,作业控制器运行的吊舱从未作为端点添加到服务中。
调整其中一种或另一种,但它们必须匹配,这可能只是有效的:)
尽管我不确定使用带有选择器的Service (针对来自Job控制器的短命荚)的选择器是否有效,但在测试时使用简单的Pod也不起作用。作业创建的certbot-randomId吊舱(或您创建的任何简单的吊舱)总共需要大约15秒才能运行/失败,并且在吊舱使用几秒钟后就会触发该验证挑战:对于kubernetes代理来说,还不清楚它是否已经在服务和吊舱之间工作了。
我们可以安全地假设Service实际上是有效的,因为您提到您测试了DNS解析,所以您可以很容易地通过添加一个sleep 10 (或更多)来确保这不是一个时间问题!在certbot触发HTTP挑战之前,为将pod作为端点添加到服务并适当地进行代理提供更多的时间。只需将Job命令和args更改为:
command: ["/bin/sh"]
args: ["-c", "sleep 10 && certbot certonly --noninteractive --agree-tos --staging --standalone -d staging.ishankhare.com -m me@ishankhare.com"]在这里,这也可能会奏效:)
尽管如此,我强烈建议您使用证书经理,您可以通过它的稳定Helm图轻松安装它:它引入的Certificate自定义资源将将您的证书存储在一个Secret中,这将使您可以直接从任何K8s资源中重用,并且它会自动处理更新,这样您就可以完全忘记它了。
https://stackoverflow.com/questions/52903335
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号