即使以前的订单已准备好,带有 ZeroSSL 的证书管理器也会创建多个订单

编程问答 2022-05-28

问题描述

我正在使用 ZeroSSL 帐户创建 Acme 证书。我能够从 ZeroSSL 获取 EAB 凭据,并将其添加到 ClusterIssuer。

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
Metadata:
  name: zerossl-prod
spec:
  acme:
    # The Acme server URL
    server: https://acme.zerossl.com/v2/DV90
    externalAccountBinding:
      keyID: keyidFromZeroSSL
      keySecretRef:
        name: zerossl-eabsecret
        key: value
      keyAlgorithm: HS256
    # Name of a secret used to store the Acme account private key
    privateKeySecretRef:
      name: zerossl-prod
    solvers:
    - dns01:
        route53:
          region: eu-central-1

发行者在集群中设置成功。这里没有问题。

接下来,当我使用 CSR 创建 CertificateRequest 时,它永远不会进入就绪状态。即使我可以看到在 ZeroSSL 上创建了证书,我也无法在 cert-manager 中看到 CeritificateRequest 已准备就绪。

这是在 CertificateRequest 中:

message: 'Waiting on certificate issuance from order default/mytestcert-4230347456:
      "ready"'
    reason: Pending
    status: "False"
    type: Ready

这在日志中

E0129 09:27:23.134393       1 controller.go:143] cert-manager/controller/certificaterequests-issuer-acme "msg"="re-queuing item  due to error processing" "error"="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"mytestcert\": the object has been modified; please apply your changes to the latest version and try again" "key"="default/mytestcert

I0129 09:27:23.092737       1 sync.go:77] cert-manager/controller/orders "msg"="Creating new Acme order as status.url is not set" "resource_kind"="Order" "resource_name"="mytestcert-4230347456" "resource_namespace"="default"

I0129 09:27:23.092865       1 sync.go:190] cert-manager/controller/orders "msg"="order URL not set,submitting Order to Acme server" "resource_kind"="Order" "resource_name"="mytestcert-4230347456" "resource_namespace"="default"

我也可以在 Route53 中看到并创建了 Acme 记录。

*这是我在订单描述中看到的:

dnsNames:
- subdomain.dev.domain.com
- '*.mytestcert.subdomain.dev.domain.com'
issuerRef:
kind: ClusterIssuer
name: zerossl-prod
status:
  authorizations:
  - challenges:
    - token: Dx6JuVjZvrqOVCt0XnZBA_hZ4b4dsMYWikYdZ7Muovs
      type: dns-01
      url: https://acme.zerossl.com/v2/DV90/chall/FuZk8FkdubEA3l3sPtcKBw
    identifier: mytestcert.subdomain.dev.domain.com
    initialState: pending
    url: https://acme.zerossl.com/v2/DV90/authz/M-Xy9ZHTMplpBXjvxpcnPg
    wildcard: true
  - challenges:
    - token: JlYucJq9g8JhcR1PbQA-24AMT0jurB0CWmvytcJccn4
      type: http-01
      url: https://acme.zerossl.com/v2/DV90/chall/fJPyzw1G82XM6vsPj4pciw
    - token: 4Q9KKoyMP0FDX-mmJEGmz4xcI3lmEISvo_izFqsk-I0
      type: dns-01
      url: https://acme.zerossl.com/v2/DV90/chall/11o2BonMlGgHnJp65oDIDg
    identifier: subdomain.dev.domain.com
    initialState: pending
    url: https://acme.zerossl.com/v2/DV90/authz/cPBHkbnLvEqMZYg0A_BJ_Q
    wildcard: false
  finalizeURL: https://acme.zerossl.com/v2/DV90/order/ZoWmwVynu0IQ31CC-jy3BA/finalize
  state: ready
  url: https://acme.zerossl.com/v2/DV90/order/ZoWmwVynu0IQ31CC-jy3BA

*这是我在挑战中设置观察者的时间

mytestcert-322629104-1271033422   pending   mytestcert.subdomain.dev.domain.com   73s
mytestcert-322629104-2202102765   pending   subdomain.dev.domain.com                    73s
mytestcert-322629104-1271033422   valid     mytestcert.subdomain.dev.domain.com   100s
mytestcert-322629104-2202102765   valid     subdomain.dev.domain.com                    100s
mytestcert-322629104-1271033422   valid     mytestcert.subdomain.dev.domain.com   111s
mytestcert-322629104-2202102765   valid     subdomain.dev.domain.com                    111s
mytestcert-322629104-3344217095             mytestcert.subdomain.dev.domain.com   0s
mytestcert-322629104-2697588659             subdomain.dev.domain.com                    0s
mytestcert-322629104-1271033422   valid     mytestcert.subdomain.dev.domain.com   2m16s
mytestcert-322629104-3344217095             mytestcert.subdomain.dev.domain.com   26s
mytestcert-322629104-2202102765   valid     subdomain.dev.domain.com                    2m17s
mytestcert-322629104-3344217095   pending   mytestcert.subdomain.dev.domain.com   26s
mytestcert-322629104-2697588659             subdomain.dev.domain.com                    27s
mytestcert-322629104-2697588659   pending   subdomain.dev.domain.com                    27s

*这是我在订单上放置观察者的时间:

mytestcert-322629104   pending   79s
mytestcert-322629104   ready     2m8s
mytestcert-322629104   valid     2m18s
mytestcert-322629104   valid     2m18s
mytestcert-322629104             0s
mytestcert-322629104   pending   0s
mytestcert-322629104   pending   0s
mytestcert-322629104   ready     107s
mytestcert-322629104   valid     117s
mytestcert-322629104   valid     117s
mytestcert-322629104             0s
mytestcert-322629104   pending   0s
mytestcert-322629104   pending   0s

与此同时,cert-manager 尝试生成/检索证书,我可以看到它在 ZeroSSL 中创建了大约 4 个证书。可以从 ZeroSSL 下载证书,而且看起来不错。

但我无法从 ZeroSSL 手动下载证书,因为我依赖我的应用程序代码从 cert-manager 获取证书。

解决方法

暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!

如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@)

acmecert-managerkubernetesssl

相关问答

Selenium Web驱动程序和Java元素在(x,y)点处不可单击其他元素将获得点击?
Selenium Web驱动程序和Java。元素在(x,y)点处不可单击。其...
Python-如何使用点“” 访问字典成员?
Python-如何使用点“。” 访问字典成员?
Java 字符串是不可变的到底是什么意思?
Java 字符串是不可变的。到底是什么意思?
Java中的“ final”关键字如何工作?我仍然可以修改对象
Java中的“ final”关键字如何工作?(我仍然可以修改对象。...
“loop:”在Java代码中这是什么,为什么要编译?
“loop:”在Java代码中。这是什么,为什么要编译?
java.lang.ClassNotFoundException:sun.jdbc.odbc.JdbcOdbcDriver发生异常为什么?
java.lang.ClassNotFoundException:sun.jdbc.odbc.JdbcOdbc...