当前位置: 文江博客话题详情

如何向 Kubernetes nginx (GKE) 提供 LetsEncrypt 证书?

发布于 2025-01-09 05:49:00 字数 989 浏览 2 评论 0原文

我正在学习 Google Cloud 平台,试图实现我的第一个项目,但在教程中迷失了方向。我陷入了尝试实现 nginx 入口的困境。我的入口卡在 CrashLoopBackoff 中,日志显示以下错误。

我知道如何使用 DockerCompose 完成此任务,但不知道这里。

我从哪里开始?

1#1: cannot load certificate "/etc/letsencrypt/live/blah.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/blah.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/blah.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/blah.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

我还不确定这是否有帮助,但我已经设置了证书颁发机构服务 (https://cloud.google.com/certificate-authority-service/docs/best-practices)。

原文

I am learning the Google Cloud platform, trying to implement my first project and am getting lost in the tutorials. I am stuck at the trying to implement an nginx ingress. My ingress is stuck in CrashLoopBackoff and the logs show the following error.

I know how to do this task with DockerCompose, but not here.

Where do I start?

1#1: cannot load certificate "/etc/letsencrypt/live/blah.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/blah.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/blah.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/blah.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

I am not yet certain this is helpful, but I have set up the Certificate Authority Service (https://cloud.google.com/certificate-authority-service/docs/best-practices).

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

℡寂寞咖啡 2025-01-16 05:49:00

我建议不要使用它并遵循 GCP CA 设置的设置,而是使用 cert-manager 与入口。

Cert-manager 将从 let's-encrypt CA 获取 TLS 证书,cert-manager 将在 k8s 中创建密钥并将经过验证的证书存储到密钥中。

您可以根据主机将机密附加到入口并使用它。

Cert-manager 安装

YAML 示例:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: cluster-issuer-name
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: secret-name
    solvers:
    - http01:
        ingress:
          class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx-class-name
    cert-manager.io/cluster-issuer: cluster-issuer-name
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: example-ingress
spec:
  rules:
  - host: sub.example.com
    http:
      paths:
      - path: /api
        backend:
          serviceName: service-name
          servicePort: 80
  tls:
  - hosts:
    - sub.example.com
    secretName: secret-name

您可以阅读此博客作为参考:https://medium.com/@harsh.manvar111/kubernetes-nginx-ingress-and-cert-manager-ssl-setup-c82313703d0d

Instead of using that and following setup of GCP CA setup i would suggest using cert-manager with the ingress.

Cert-manager will get the TLS cert from let's-encrypt CA , cert-manager will create the secret into k8s and store verified certificate into a secret.

You can attach secret with the ingress, as per host and use it.

Cert-manager installation

YAML example :

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: cluster-issuer-name
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: secret-name
    solvers:
    - http01:
        ingress:
          class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx-class-name
    cert-manager.io/cluster-issuer: cluster-issuer-name
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: example-ingress
spec:
  rules:
  - host: sub.example.com
    http:
      paths:
      - path: /api
        backend:
          serviceName: service-name
          servicePort: 80
  tls:
  - hosts:
    - sub.example.com
    secretName: secret-name

You can read this blog for ref : https://medium.com/@harsh.manvar111/kubernetes-nginx-ingress-and-cert-manager-ssl-setup-c82313703d0d

回复 原文
~没有更多了~

关于作者

金兰素衣

暂无简介

文章
评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

饮湿

文章 0 评论 0

明月

文章 0 评论 0

02

文章 0 评论 0

hs1283

文章 0 评论 0

风向决定发型

文章 0 评论 0

落花浅忆

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文