Kubernetes Nginx侵入Cert Manager和letsencrypt不允许在域名中使用通配符

Question

我有一个自我托管的Kubernetes集群，带有一个Nginx入侵。证书管理器也在集群上运行，我尝试使用Letsencrypt获得有效的SSL证书。这一切都有效，我为example.com、www.example.com或app1.example.com获得了一个有效的证书，但对于一般通配符*.example.com却没有。如果我尝试以任何方式在sec.tls.hosts下的入口输入通配符，就不会为我生成任何证书。我得到的输出

kubectl get certificate

NAME              READY   SECRET            AGE
tls-test-cert     False   tls-electi-cert   20h

kubectl get CertificateRequest

NAME                    APPROVED   DENIED   READY   ISSUER                REQUESTOR                                         AGE
tls-test-cert-8jw75     True                False   letsencrypt-staging   system:serviceaccount:cert-manager:cert-manager   18m

kubectl describe CertificateRequest

[...]
Status:
  Conditions:
    Last Transition Time:  2022-02-27T13:54:38Z
    Message:               Certificate request has been approved by cert-manager.io
    Reason:                cert-manager.io
    Status:                True
    Type:                  Approved
    Last Transition Time:  2022-02-27T13:54:38Z
    Message:               Waiting on certificate issuance from order gateway/tls-test-cert-8jw75-1425588341: "pending"
    Reason:                Pending
    Status:                False
    Type:                  Ready
Events:
  Type    Reason           Age   From          Message
  ----    ------           ----  ----          -------
  Normal  cert-manager.io  18m   cert-manager  Certificate request has been approved by cert-manager.io
  Normal  OrderCreated     18m   cert-manager  Created Order resource gateway/tls-test-cert-8jw75-1425588341
  Normal  OrderPending     18m   cert-manager  Waiting on certificate issuance from order gateway/tls-test-cert-8jw75-1425588341: ""

我的Nginx攻入：(我把我的域名交换到example.com以获得这篇文章)

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-management
  namespace: gateway
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-staging"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
  ingressClassName: nginx
  tls:
  - secretName: tls-test-cert
    hosts:
      - example.com
      - '*.example.com'
  rules:
    - host: example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: test-gateway
                port:
                  number: 80
    - host: '*.example.com'
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: test-gateway
                port:
                  number: 80

发行人：(我在这里编辑了我的电子邮件)

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
  namespace: cert-manager
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: *******
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
      - http01:
          ingress:
            class: nginx

我的反向代理(测试网关)肯定可以工作，并将所有子域转发到我的网站上。提前感谢您对造成这一问题的任何想法。

Answer 1

谢谢你的帮助，我解决了我的问题：

基本上，我必须找到一种新的方法，因为http01不能颁发通配卡证书。(参见这里：https://cert-manager.io/docs/configuration/acme/)经过一项小小的研究，我得出结论，使用dns01求解器是最有意义的。文档可以在这里找到：https://cert-manager.io/docs/configuration/acme/dns01/

由于dns01的配置在很大程度上依赖于您的DNS提供程序，所以我不会在这里发布我的解决方案，但是在文档中可以很容易地找到有用的配置。