Comments (23)
Could you please paste logs from the alidns-webhook pod?
And have you changed anything of bundle.yaml?
from alidns-webhook.
Yes, I changed your bundle.yaml, beause the apiversion "certmanager.k8s.io/v1alpha1" is old
then I changed the apiversion to "cert-manager.io/v1alpha2"
from alidns-webhook.
@pragkent and the alidns-pod logs is
from alidns-webhook.
@pragkent the pod error is "I0311 09:06:21.887651 1 log.go:172] http: TLS handshake error from 192.168.40.115:44962: remote error: tls: bad certificate" Why?
from alidns-webhook.
Please check your bundle.yaml
, I think you also need to change annotations of APIService from
certmanager.k8s.io/inject-ca-from: "cert-manager/alidns-webhook-webhook-tls
to
cert-manager.io/inject-ca-from: "cert-manager/alidns-webhook-webhook-tls
from alidns-webhook.
@pragkent After changing this file, I still have this error
I0312 07:27:54.904753 1 log.go:172] http: TLS handshake error from 192.168.40.115:57886: remote error: tls: bad certificate I0312 07:28:20.022454 1 log.go:172] http: TLS handshake error from 192.168.40.115:57950: remote error: tls: bad certificate I0312 07:28:20.105644 1 log.go:172] http: TLS handshake error from 192.168.40.115:57952: remote error: tls: bad certificate I0312 07:28:22.278387 1 log.go:172] http: TLS handshake error from 192.168.40.115:57966: remote error: tls: bad certificate
from alidns-webhook.
@pragkent Have you tested this feature yourself recently?
from alidns-webhook.
Have not. I only tested on cert-manager 0.8.1.
What's your cert-manager version?
from alidns-webhook.
@pragkent My cert-manager is 0.13,Can you test it on the new version? I think your warehouse is the official webhook
from alidns-webhook.
@Hello-Linux ok, I'll have a test. I'll get back to you later.
from alidns-webhook.
bad certificate +1
from alidns-webhook.
@Hello-Linux it's my fault.
The DNS names used in webhook-tls is wrong, which caused tls handshake error.
And according to the current RBAC settings, the webhook pod need access right of alidns-secret
,
so it would be easier to use ClusterIssuer instead of Issuer, and create alidns-secret
in cert-manager namespace.
You can find detail here:
fix
from alidns-webhook.
@yinfxs Please try master branch.
from alidns-webhook.
@pragkent No problem now?
from alidns-webhook.
@pragkent I just tested it and it still doesn't work
from alidns-webhook.
I tested this on my machine, it works fine.
Could you please paste your bundle.yaml, cert and issuer here?
from alidns-webhook.
And the tls certificate contents:
kubectl describe cert -n cert-manager alidns-webhook-webhook-tls
from alidns-webhook.
@pragkent
My clusterIssuer is
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-http01
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected]
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-http01
solvers:
- http01: # ACME HTTP-01 solver configurations
ingress:
class: nginx
selector:
dnsNames:
- 'spagobi.nihao.com'
- 'fortress.nihao.com'
- dns01:
webhook:
groupName: acme.yourcompany.com
solverName: alidns
config:
region: ""
accessKeySecretRef:
name: alidns-secret
key: access-key
secretKeySecretRef:
name: alidns-secret
key: secret-key
selector:
dnsNames:
- 'jira.nihao.com'
- 'wiki.nihao.com'
my Certificate.yaml is
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: jira
namespace: common
spec:
secretName: jira-server-tls
issuerRef:
name: letsencrypt-http01
kind: ClusterIssuer
commonName: jira.nihao.com
dnsNames:
- jira.nihao.com
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: wiki
namespace: common
spec:
secretName: wiki-server-tls
issuerRef:
name: letsencrypt-http01
kind: ClusterIssuer
commonName: wiki.nihao.com
dnsNames:
- wiki.nihao.com
from alidns-webhook.
Hmm... I just tested your bundle.yaml on a brand new gke cluster, and it works.
pragkent@cloudshell:~$ kubectl logs -n cert-manager alidns-webhook-6d9b499464-gsjmq
I0314 02:08:11.486549 1 secure_serving.go:116] Serving securely on [::]:443
I0314 02:11:57.312131 1 solver.go:47] Presenting txt record: _acme-challenge.jira.nihao2.com. com.
The webhook pod is serving https traffic using tls cert saved in cert-manager/alidns-webhook-webhook-tls
.
Maybe you can try to delete the webhook resources and apply them again?
kubectl delete -f bundle.yaml
# also delete tls secrets generated by webhook certificates.
kubectl delete secret -n cert-manager alidns-webhook-webhook-tls alidns-webhook-ca
from alidns-webhook.
@pragkent Succeeded! Just delete and re-create it.
from alidns-webhook.
Cool, then I'll close the issue for now.
from alidns-webhook.
@pragkent ok
from alidns-webhook.
@pragkent and the alidns-pod logs is
Got the same issue.
Just delete the pod alidns-webhook-
, after the new pod is created. The error is gone and certificate
is in READY status.
from alidns-webhook.
Related Issues (20)
- Install via helm with different namespace?
- unable to create alidns-secret HOT 1
- alidns-webhook中定义的secret是什么 HOT 1
- Install alidns-webhook failed, no endpoints available for service "cert-manager-webhook" HOT 1
- use alidns error HOT 8
- cannot create resource alidns HOT 4
- InvalidAccessKeyId,but i'm sure the AccessKey is valid! HOT 3
- It appears that only single domain cert are supported HOT 2
- The third-level domain name wildcard certificate does not work HOT 7
- Doesn't work with `K3S v1.22.2+k3s1` + `cert-manager v1.5.3` HOT 4
- Error presenting challenge: the server could not find the requested resource (post alidns.acme HOT 7
- 自签证书是出什么问题了吗? HOT 2
- Install FailedMount
- how to config 2 domain in config file HOT 1
- Failed to watch *v1beta1.FlowSchema: failed to list HOT 7
- alidns SDK ErrorCode: InvalidAccessKeyId.NotFound HOT 3
- Error presenting challenge: the server is currently unable to handle the request HOT 9
- APIService v1alpha1.acme.xxx.com FailedDiscoveryCheck
- Install alidns-webhook fail HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from alidns-webhook.