我在 Azure 中有一个 Kubernetes 集群版本 1.15.5,我在其中安装了cert-manager版本 v0.14.0
它可以很好地自动发布让我们根据有效的 DNS 名称加密证书:MY_DOMAIN指向入口控制器的外部 IP 地址。
我也希望能够使用例如certbot来做同样的事情。我试图在我的集群上运行 certbot:
kubectl run --generator=run-pod/v1 certbot-shell --rm -i --tty --image certbot/certbot:amd64-latest -- -d MY_DOMAIN --manual --preferred-challenges http certonly
但它失败了:
Create a file containing just this data:
QAPu****-klNq1RBgY
And make it available on your web server at this URL:
http://MY_DOMAIN/.well-known/acme-challenge/QAPu****-klNq1RBgY
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Challenge failed for domain MY_DOMAIN
http-01 challenge for MY_DOMAIN
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: MY_DOMAIN
Type: unauthorized
Detail: Invalid response from
http://MY_DOMAIN/.well-known/acme-challenge/QAPuDTHa****1qlLLOg
[13.x.x.x]: 404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
因此,cert-manager会以某种方式自动负责在挑战期间创建文件并使其在以下位置可用:
http://MY_DOMAIN/.well-known/acme-challenge/QAPu****-klNq1RBgY
但是我不确定在使用certbot时我是如何做到这一点的,或者是否有其他方法可以做到这一点?
根据以下建议,我尝试安装 Kube lego (0.1.2)(对于旧版 1.8 集群),但似乎失败了:
level=error msg="Error while processing certificate requests: 403 urn:acme:error:unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details." context=kubelego
所以我尝试升级到:
https://acme-staging-v02.api.letsencrypt.org/directory
但后来我得到:
level=error msg="Error while processing certificate requests: Head : unsupported protocol scheme \"\"" context=kubelego
我发现:
https://github.com/jetstack/kube-lego/issues/301
所以看起来 kube-lego 不能与 ACME 版本 2 一起使用 :-(