- issuer privateKeySecretRef 自動生成的private key,填寫一個名字即可
- 使用kubectl describe 查看對應的資源,可以看到創建成功與否,以及失敗的信息issuer cert order 等一層層的往下看,都有詳細的出錯信息;
- ACME Issuer type represents a single Account registered with the ACME server.
1 register -> 生成的fulldomain
2. 添加dns記錄 _acme-challenge.targetdomain.com cname fulldomain
3. regiseter的結果創建acmedns.json文件,格式如下
{
"taomiao.store": {
"username": "ec953ce2-a147-4980-816a-9fd820b086da",
"password": "HqJxoWxm7bVsA12prMOJFlakouNGNs39v0AZIlP3",
"fulldomain": "e214d520-19c9-4d32-858d-99818ea41654.auth.acme-dns.io",
"subdomain": "e214d520-19c9-4d32-858d-99818ea41654",
"allowfrom": []
}
}
kubectl create secret generic acme-dns --from-file acmedns.json
不同的域名都可以配置這一個regiseter賬號,配置對應的dns記錄,同時維護好acmedns.json文件即可;
- 根據上面的信息創建issue
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
acmedns:
host: https://auth.acme-dns.io
accountSecretRef:
name: acme-dns
key: acmedns.json
創建完成之後,使用kubectl describe 可以查看創建成功與否,如果失敗,會茶看到詳細的失敗信息。正式環境可以使用如下的配置
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-prod
namespace: cert-manager
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- dns01:
acmedns:
host: https://auth.acme-dns.io
accountSecretRef:
name: acme-dns
key: acmedns.json
- 更具上面的信息創建 Certificate
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: taomiao-store
namespace: cert-manager
spec:
secretName: taomiao-store-tls
renewBefore: 360h # 15d
commonName: taomiao.store
dnsNames:
- taomiao.store
issuerRef:
name: letsencrypt-staging
kind: Issuer
創建好這個文件之後,cert manager立馬開始生成證書的流程
可以通過kubectl describe 命令查看issuer cert order challenge
- 創建萬 Cert之後,如果沒有出錯,就會生成一個名爲 taomiao-store-tls(Certificate.spec.secretName) 的secret;
可以看到生成的證書的key 和 證書本身;
生成fullchain.crt證書,有自己域名的證書和let’s的ca證書,可以直接用;微信裏面也沒有問題。
cert manager 實現自動花的原理
- dns01
使用第三方的acme-dns + acme.sh這種方式
可以看到,只需要在目標域名配置一個cname即可實現安全的自動化;
參考
Setting up Issuers » Setting up ACME Issuers » Configuring DNS01 Challenge Providers » ACME-DNS