入口nginx cert-manager证书在浏览器上无效

Question

我遇到了一个相当奇怪的问题，已经被困在这个问题上两天了。我有一个运行nginx-ingress和cert-manager的kubernetes集群。虽然通过HTTPS访问我的网站时，一切似乎运行正常，但它给出了以下错误(在chromium中)：

NET::ERR_CERT_AUTHORITY_INVALID

如果我继续，它会正常加载站点，但没有证书。

证书已正确提供，密钥已创建，任何地方都没有错误。

我的入口资源中有以下注释：

    kubernetes.io/ingress.class: "nginx"
    kubernetes.io/tls-acme: "true"
    cert-manager.io/cluster-issuer: "letsencrypt-production"
    ingress.kubernetes.io/ssl-redirect: "true"

我的集群颁发者：

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
spec:
  acme:
    # The ACME production api URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: *********
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-production
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: nginx

证书资源返回：

 Normal  Issuing    108s   cert-manager  The certificate has been successfully issued

我对kubernetes比较陌生，所以如果有任何其他的调试步骤，请让我知道。

Answer 1

您正在使用未提供有效证书的acme临时server: https://acme-staging-v02.api.letsencrypt.org/directory服务器。要获得有效的证书，您必须使用acme生产服务器server: https://acme-v02.api.letsencrypt.org/directory。你可以试试这个。

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
spec:
  acme:
    # The ACME production api URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: *********
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-production
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: nginx