[{"data":1,"prerenderedAt":2596},["ShallowReactive",2],{"navigation":3,"posts-undefined-阿里云-0-999":20},[4,8,12,16],{"title":5,"path":6,"stem":7},"首页","\u002F","00.index",{"title":9,"path":10,"stem":11},"文章","\u002Fposts","01.posts",{"title":13,"path":14,"stem":15},"动态","\u002Fmoments","02.moments",{"title":17,"path":18,"stem":19},"关于","\u002Fabout","09.about",[21,2098,2250,2530],{"id":22,"title":23,"body":24,"class":2075,"cover":2076,"coverSize":2075,"date":2077,"description":2078,"draft":2079,"extension":2080,"hideComments":2079,"location":2075,"meta":2081,"navigation":386,"path":2082,"readingTime":2083,"seo":2088,"sitemap":2089,"stem":2090,"tags":2091,"time":2075,"weather":2096,"__hash__":2097},"posts\u002Fposts\u002F2020\u002F20200227.k8s-cert-manager-tls.md","k8s 上利用 cert-manager 自动签发 TLS 证书",{"type":25,"value":26,"toc":2073},"minimark",[27,36,43,53,61,70,75,82,110,113,223,228,257,263,348,352,441,445,469,640,645,663,666,702,705,712,853,857,875,878,924,938,945,953,1450,1473,1491,1500,1503,1511,1514,1518,1521,1559,1604,1609,1674,1682,1687,1898,1902,1918,1920,1950,1953,1956,2002,2020,2031,2069],[28,29,30,31,35],"p",{},"很多博主的 ",[32,33,34],"code",{},"https"," 证书经常容易忘记更新，虽说证书过期前都会有邮件提醒，但是万一确实忙得没时间去处理，忘记了，就会出现证书过期的情况了。",[28,37,38,39,42],{},"之前在服务器上自己搭博客服务的时候，用 ",[32,40,41],{},"Let's Encrypt"," 来自动创建并续签证书，确实省了不少事。",[28,44,45,46,49,50,52],{},"在我的博客部署到 ",[32,47,48],{},"k8s"," 之后，就一直用的一年一签的免费证书，每年更新一次，也不算特别麻烦，但是总归不够高端，我又怀念起了 ",[32,51,41],{},"。",[28,54,55,57,58,60],{},[32,56,41],{}," 是个好东西，",[32,59,48],{}," 也是个好东西，两个好东西怎么结合呢？搜寻了一番确实有方案，经过几天的尝试，终于弄好了。花了几天是因为第一天因为有个粗心导致的问题，导致搞了好久没成功，休息了几天再次尝试，才找到问题。",[28,62,63,64,66,67,69],{},"有关 ",[32,65,48],{}," 的基础知识，这里不做赘述，网上教程很多，这里假设大家对 ",[32,68,48],{}," 都有一定了解。",[71,72,74],"h4",{"id":73},"安装-cert-manager","安装 cert-manager",[28,76,77,78,81],{},"安装 ",[32,79,80],{},"helm"," 到本地",[83,84,89],"pre",{"className":85,"code":86,"language":87,"meta":88,"style":88},"language-bash shiki shiki-themes material-theme-lighter github-light github-dark","$ brew install helm\n","bash","",[32,90,91],{"__ignoreMap":88},[92,93,96,100,104,107],"span",{"class":94,"line":95},"line",1,[92,97,99],{"class":98},"sbgvK","$",[92,101,103],{"class":102},"s_sjI"," brew",[92,105,106],{"class":102}," install",[92,108,109],{"class":102}," helm\n",[28,111,112],{},"添加仓库和命名空间",[83,114,116],{"className":85,"code":115,"language":87,"meta":88,"style":88},"$ kubectl create namespace cert-manager # 创建 cert-manager 命名空间\n$ kubectl label namespace cert-manager certmanager.io\u002Fdisable-validation=true # 标记 cert-manager 命名空间以禁用资源验证\n$ kubectl apply --validate=false -f https:\u002F\u002Fgithub.com\u002Fjetstack\u002Fcert-manager\u002Freleases\u002Fdownload\u002Fv0.14.1\u002Fcert-manager-legacy.crds.yaml # 安装 CustomResourceDefinition 资源，注意 k8s 版本低于 1.15 需要用 legacy 版本\n$ helm repo add jetstack https:\u002F\u002Fcharts.jetstack.io # 添加 Jetstack Helm repository\n$ helm repo update # 更新本地 Helm chart repository\n",[32,117,118,138,162,185,208],{"__ignoreMap":88},[92,119,120,122,125,128,131,134],{"class":94,"line":95},[92,121,99],{"class":98},[92,123,124],{"class":102}," kubectl",[92,126,127],{"class":102}," create",[92,129,130],{"class":102}," namespace",[92,132,133],{"class":102}," cert-manager",[92,135,137],{"class":136},"sutJx"," # 创建 cert-manager 命名空间\n",[92,139,141,143,145,148,150,152,155,159],{"class":94,"line":140},2,[92,142,99],{"class":98},[92,144,124],{"class":102},[92,146,147],{"class":102}," label",[92,149,130],{"class":102},[92,151,133],{"class":102},[92,153,154],{"class":102}," certmanager.io\u002Fdisable-validation=",[92,156,158],{"class":157},"s39Yj","true",[92,160,161],{"class":136}," # 标记 cert-manager 命名空间以禁用资源验证\n",[92,163,165,167,169,172,176,179,182],{"class":94,"line":164},3,[92,166,99],{"class":98},[92,168,124],{"class":102},[92,170,171],{"class":102}," apply",[92,173,175],{"class":174},"stzsN"," --validate=false",[92,177,178],{"class":174}," -f",[92,180,181],{"class":102}," https:\u002F\u002Fgithub.com\u002Fjetstack\u002Fcert-manager\u002Freleases\u002Fdownload\u002Fv0.14.1\u002Fcert-manager-legacy.crds.yaml",[92,183,184],{"class":136}," # 安装 CustomResourceDefinition 资源，注意 k8s 版本低于 1.15 需要用 legacy 版本\n",[92,186,188,190,193,196,199,202,205],{"class":94,"line":187},4,[92,189,99],{"class":98},[92,191,192],{"class":102}," helm",[92,194,195],{"class":102}," repo",[92,197,198],{"class":102}," add",[92,200,201],{"class":102}," jetstack",[92,203,204],{"class":102}," https:\u002F\u002Fcharts.jetstack.io",[92,206,207],{"class":136}," # 添加 Jetstack Helm repository\n",[92,209,211,213,215,217,220],{"class":94,"line":210},5,[92,212,99],{"class":98},[92,214,192],{"class":102},[92,216,195],{"class":102},[92,218,219],{"class":102}," update",[92,221,222],{"class":136}," # 更新本地 Helm chart repository\n",[28,224,77,225],{},[32,226,227],{},"cert-manager",[83,229,231],{"className":85,"code":230,"language":87,"meta":88,"style":88},"$ helm install cert-manager --namespace cert-manager --version v0.14.1 jetstack\u002Fcert-manager\n",[32,232,233],{"__ignoreMap":88},[92,234,235,237,239,241,243,246,248,251,254],{"class":94,"line":95},[92,236,99],{"class":98},[92,238,192],{"class":102},[92,240,106],{"class":102},[92,242,133],{"class":102},[92,244,245],{"class":174}," --namespace",[92,247,133],{"class":102},[92,249,250],{"class":174}," --version",[92,252,253],{"class":102}," v0.14.1",[92,255,256],{"class":102}," jetstack\u002Fcert-manager\n",[28,258,259,260,262],{},"查看 ",[32,261,227],{}," 安装情况",[83,264,266],{"className":85,"code":265,"language":87,"meta":88,"style":88},"$ kubectl get pods --namespace cert-manager\nNAME                                       READY   STATUS    RESTARTS   AGE\ncert-manager-6cff8dc7b9-8vxws              1\u002F1     Running   0          4d10h\ncert-manager-cainjector-795c46858f-txczb   1\u002F1     Running   0          4d10h\ncert-manager-webhook-5dfc77cd74-skgsv      1\u002F1     Running   0          4d10h\n",[32,267,268,285,302,320,334],{"__ignoreMap":88},[92,269,270,272,274,277,280,282],{"class":94,"line":95},[92,271,99],{"class":98},[92,273,124],{"class":102},[92,275,276],{"class":102}," get",[92,278,279],{"class":102}," pods",[92,281,245],{"class":174},[92,283,284],{"class":102}," cert-manager\n",[92,286,287,290,293,296,299],{"class":94,"line":140},[92,288,289],{"class":98},"NAME",[92,291,292],{"class":102},"                                       READY",[92,294,295],{"class":102},"   STATUS",[92,297,298],{"class":102},"    RESTARTS",[92,300,301],{"class":102},"   AGE\n",[92,303,304,307,310,313,317],{"class":94,"line":164},[92,305,306],{"class":98},"cert-manager-6cff8dc7b9-8vxws",[92,308,309],{"class":102},"              1\u002F1",[92,311,312],{"class":102},"     Running",[92,314,316],{"class":315},"srdBf","   0",[92,318,319],{"class":102},"          4d10h\n",[92,321,322,325,328,330,332],{"class":94,"line":187},[92,323,324],{"class":98},"cert-manager-cainjector-795c46858f-txczb",[92,326,327],{"class":102},"   1\u002F1",[92,329,312],{"class":102},[92,331,316],{"class":315},[92,333,319],{"class":102},[92,335,336,339,342,344,346],{"class":94,"line":210},[92,337,338],{"class":98},"cert-manager-webhook-5dfc77cd74-skgsv",[92,340,341],{"class":102},"      1\u002F1",[92,343,312],{"class":102},[92,345,316],{"class":315},[92,347,319],{"class":102},[71,349,351],{"id":350},"更新-cert-manager","更新 cert-manager",[83,353,355],{"className":85,"code":354,"language":87,"meta":88,"style":88},"$ kubectl delete -n cert-manager deployment cert-manager cert-manager-cainjector cert-manager-webhook\n\n$ kubectl apply --validate=false -f https:\u002F\u002Fgithub.com\u002Fjetstack\u002Fcert-manager\u002Freleases\u002Fdownload\u002Fv0.14.1\u002Fcert-manager-legacy.crds.yaml\n\n$ helm repo update\n$ helm upgrade --version v0.14.1 cert-manager jetstack\u002Fcert-manager -n cert-manager\n",[32,356,357,382,388,403,407,418],{"__ignoreMap":88},[92,358,359,361,363,366,369,371,374,376,379],{"class":94,"line":95},[92,360,99],{"class":98},[92,362,124],{"class":102},[92,364,365],{"class":102}," delete",[92,367,368],{"class":174}," -n",[92,370,133],{"class":102},[92,372,373],{"class":102}," deployment",[92,375,133],{"class":102},[92,377,378],{"class":102}," cert-manager-cainjector",[92,380,381],{"class":102}," cert-manager-webhook\n",[92,383,384],{"class":94,"line":140},[92,385,387],{"emptyLinePlaceholder":386},true,"\n",[92,389,390,392,394,396,398,400],{"class":94,"line":164},[92,391,99],{"class":98},[92,393,124],{"class":102},[92,395,171],{"class":102},[92,397,175],{"class":174},[92,399,178],{"class":174},[92,401,402],{"class":102}," https:\u002F\u002Fgithub.com\u002Fjetstack\u002Fcert-manager\u002Freleases\u002Fdownload\u002Fv0.14.1\u002Fcert-manager-legacy.crds.yaml\n",[92,404,405],{"class":94,"line":187},[92,406,387],{"emptyLinePlaceholder":386},[92,408,409,411,413,415],{"class":94,"line":210},[92,410,99],{"class":98},[92,412,192],{"class":102},[92,414,195],{"class":102},[92,416,417],{"class":102}," update\n",[92,419,421,423,425,428,430,432,434,437,439],{"class":94,"line":420},6,[92,422,99],{"class":98},[92,424,192],{"class":102},[92,426,427],{"class":102}," upgrade",[92,429,250],{"class":174},[92,431,253],{"class":102},[92,433,133],{"class":102},[92,435,436],{"class":102}," jetstack\u002Fcert-manager",[92,438,368],{"class":174},[92,440,284],{"class":102},[71,442,444],{"id":443},"创建-clusterissuer","创建 ClusterIssuer",[28,446,447,448,450,451,454,455,458,459,461,462,464,465,468],{},"我们需要创建一个签发机构，",[32,449,227],{}," 提供了",[32,452,453],{},"Issuer"," 和 ",[32,456,457],{},"ClusterIssuer"," 两种类型的签发机构，",[32,460,453],{}," 只能用来签发自己所在命名空间下的证书，ClusterIssuer 可以签发任意命名空间下的证书，我这里用 ",[32,463,457],{}," 为例，创建 ",[32,466,467],{},"letsencrypt-prod.yaml"," 文件：",[83,470,474],{"className":471,"code":472,"language":473,"meta":88,"style":88},"language-yaml shiki shiki-themes material-theme-lighter github-light github-dark","apiVersion: cert-manager.io\u002Fv1alpha2\nkind: ClusterIssuer\nmetadata:\n  labels:\n    name: letsencrypt-prod\n  name: letsencrypt-prod # 自定义的签发机构名称，后面会引用\nspec:\n  acme:\n    email: yourname@youremail.com # 你的邮箱，证书快过期的时候会邮件提醒，不过我们可以设置自动续期\n    solvers:\n      - http01:\n          ingress:\n            class: nginx\n    privateKeySecretRef:\n      name: letsencrypt-prod # 指示此签发机构的私钥将要存储到哪个 Secret 对象中\n    server: https:\u002F\u002Facme-v02.api.letsencrypt.org\u002Fdirectory # acme 协议的服务端，我们用 Let's Encrypt\n","yaml",[32,475,476,489,499,507,514,524,537,545,553,567,575,586,594,605,613,626],{"__ignoreMap":88},[92,477,478,482,486],{"class":94,"line":95},[92,479,481],{"class":480},"sQzsp","apiVersion",[92,483,485],{"class":484},"sP7_E",":",[92,487,488],{"class":102}," cert-manager.io\u002Fv1alpha2\n",[92,490,491,494,496],{"class":94,"line":140},[92,492,493],{"class":480},"kind",[92,495,485],{"class":484},[92,497,498],{"class":102}," ClusterIssuer\n",[92,500,501,504],{"class":94,"line":164},[92,502,503],{"class":480},"metadata",[92,505,506],{"class":484},":\n",[92,508,509,512],{"class":94,"line":187},[92,510,511],{"class":480},"  labels",[92,513,506],{"class":484},[92,515,516,519,521],{"class":94,"line":210},[92,517,518],{"class":480},"    name",[92,520,485],{"class":484},[92,522,523],{"class":102}," letsencrypt-prod\n",[92,525,526,529,531,534],{"class":94,"line":420},[92,527,528],{"class":480},"  name",[92,530,485],{"class":484},[92,532,533],{"class":102}," letsencrypt-prod",[92,535,536],{"class":136}," # 自定义的签发机构名称，后面会引用\n",[92,538,540,543],{"class":94,"line":539},7,[92,541,542],{"class":480},"spec",[92,544,506],{"class":484},[92,546,548,551],{"class":94,"line":547},8,[92,549,550],{"class":480},"  acme",[92,552,506],{"class":484},[92,554,556,559,561,564],{"class":94,"line":555},9,[92,557,558],{"class":480},"    email",[92,560,485],{"class":484},[92,562,563],{"class":102}," yourname@youremail.com",[92,565,566],{"class":136}," # 你的邮箱，证书快过期的时候会邮件提醒，不过我们可以设置自动续期\n",[92,568,570,573],{"class":94,"line":569},10,[92,571,572],{"class":480},"    solvers",[92,574,506],{"class":484},[92,576,578,581,584],{"class":94,"line":577},11,[92,579,580],{"class":484},"      -",[92,582,583],{"class":480}," http01",[92,585,506],{"class":484},[92,587,589,592],{"class":94,"line":588},12,[92,590,591],{"class":480},"          ingress",[92,593,506],{"class":484},[92,595,597,600,602],{"class":94,"line":596},13,[92,598,599],{"class":480},"            class",[92,601,485],{"class":484},[92,603,604],{"class":102}," nginx\n",[92,606,608,611],{"class":94,"line":607},14,[92,609,610],{"class":480},"    privateKeySecretRef",[92,612,506],{"class":484},[92,614,616,619,621,623],{"class":94,"line":615},15,[92,617,618],{"class":480},"      name",[92,620,485],{"class":484},[92,622,533],{"class":102},[92,624,625],{"class":136}," # 指示此签发机构的私钥将要存储到哪个 Secret 对象中\n",[92,627,629,632,634,637],{"class":94,"line":628},16,[92,630,631],{"class":480},"    server",[92,633,485],{"class":484},[92,635,636],{"class":102}," https:\u002F\u002Facme-v02.api.letsencrypt.org\u002Fdirectory",[92,638,639],{"class":136}," # acme 协议的服务端，我们用 Let's Encrypt\n",[28,641,642,643],{},"应用 ",[32,644,473],{},[83,646,648],{"className":85,"code":647,"language":87,"meta":88,"style":88},"$ kubectl create -f letsencrypt-prod.yaml\n",[32,649,650],{"__ignoreMap":88},[92,651,652,654,656,658,660],{"class":94,"line":95},[92,653,99],{"class":98},[92,655,124],{"class":102},[92,657,127],{"class":102},[92,659,178],{"class":174},[92,661,662],{"class":102}," letsencrypt-prod.yaml\n",[28,664,665],{},"查看状态",[83,667,669],{"className":85,"code":668,"language":87,"meta":88,"style":88},"$ kubectl get clusterissuer\nNAME               READY   AGE\nletsencrypt-prod   True    51s\n",[32,670,671,682,691],{"__ignoreMap":88},[92,672,673,675,677,679],{"class":94,"line":95},[92,674,99],{"class":98},[92,676,124],{"class":102},[92,678,276],{"class":102},[92,680,681],{"class":102}," clusterissuer\n",[92,683,684,686,689],{"class":94,"line":140},[92,685,289],{"class":98},[92,687,688],{"class":102},"               READY",[92,690,301],{"class":102},[92,692,693,696,699],{"class":94,"line":164},[92,694,695],{"class":98},"letsencrypt-prod",[92,697,698],{"class":102},"   True",[92,700,701],{"class":102},"    51s\n",[71,703,704],{"id":704},"手动签发证书",[28,706,707,708,711],{},"手动签发证书，创建 ",[32,709,710],{},"test-monkeyrun-net-cert.yaml"," 文件",[83,713,715],{"className":471,"code":714,"language":473,"meta":88,"style":88},"apiVersion: cert-manager.io\u002Fv1alpha2\nkind: Certificate\nmetadata:\n  name: test-monkeyrun-net-cert\n  namespace: test\nspec:\n  secretName: tls-test-monkeyrun-net # 证书保存的 secret 名\n  duration: 2160h # 90d\n  renewBefore: 720h # 30d\n  dnsNames:\n    - test.monkeyrun.net\n  issuerRef:\n    name: letsencrypt-prod\n    kind: ClusterIssuer\n    group: cert-manager.io\n",[32,716,717,725,734,740,749,759,765,778,791,804,811,819,826,834,843],{"__ignoreMap":88},[92,718,719,721,723],{"class":94,"line":95},[92,720,481],{"class":480},[92,722,485],{"class":484},[92,724,488],{"class":102},[92,726,727,729,731],{"class":94,"line":140},[92,728,493],{"class":480},[92,730,485],{"class":484},[92,732,733],{"class":102}," Certificate\n",[92,735,736,738],{"class":94,"line":164},[92,737,503],{"class":480},[92,739,506],{"class":484},[92,741,742,744,746],{"class":94,"line":187},[92,743,528],{"class":480},[92,745,485],{"class":484},[92,747,748],{"class":102}," test-monkeyrun-net-cert\n",[92,750,751,754,756],{"class":94,"line":210},[92,752,753],{"class":480},"  namespace",[92,755,485],{"class":484},[92,757,758],{"class":102}," test\n",[92,760,761,763],{"class":94,"line":420},[92,762,542],{"class":480},[92,764,506],{"class":484},[92,766,767,770,772,775],{"class":94,"line":539},[92,768,769],{"class":480},"  secretName",[92,771,485],{"class":484},[92,773,774],{"class":102}," tls-test-monkeyrun-net",[92,776,777],{"class":136}," # 证书保存的 secret 名\n",[92,779,780,783,785,788],{"class":94,"line":547},[92,781,782],{"class":480},"  duration",[92,784,485],{"class":484},[92,786,787],{"class":102}," 2160h",[92,789,790],{"class":136}," # 90d\n",[92,792,793,796,798,801],{"class":94,"line":555},[92,794,795],{"class":480},"  renewBefore",[92,797,485],{"class":484},[92,799,800],{"class":102}," 720h",[92,802,803],{"class":136}," # 30d\n",[92,805,806,809],{"class":94,"line":569},[92,807,808],{"class":480},"  dnsNames",[92,810,506],{"class":484},[92,812,813,816],{"class":94,"line":577},[92,814,815],{"class":484},"    -",[92,817,818],{"class":102}," test.monkeyrun.net\n",[92,820,821,824],{"class":94,"line":588},[92,822,823],{"class":480},"  issuerRef",[92,825,506],{"class":484},[92,827,828,830,832],{"class":94,"line":596},[92,829,518],{"class":480},[92,831,485],{"class":484},[92,833,523],{"class":102},[92,835,836,839,841],{"class":94,"line":607},[92,837,838],{"class":480},"    kind",[92,840,485],{"class":484},[92,842,498],{"class":102},[92,844,845,848,850],{"class":94,"line":615},[92,846,847],{"class":480},"    group",[92,849,485],{"class":484},[92,851,852],{"class":102}," cert-manager.io\n",[28,854,642,855],{},[32,856,473],{},[83,858,860],{"className":85,"code":859,"language":87,"meta":88,"style":88},"$ kubectl apply -f test-monkeyrun-net-cert.yaml\n",[32,861,862],{"__ignoreMap":88},[92,863,864,866,868,870,872],{"class":94,"line":95},[92,865,99],{"class":98},[92,867,124],{"class":102},[92,869,171],{"class":102},[92,871,178],{"class":174},[92,873,874],{"class":102}," test-monkeyrun-net-cert.yaml\n",[28,876,877],{},"检查是否生成证书文件",[83,879,881],{"className":85,"code":880,"language":87,"meta":88,"style":88},"$ kubectl get certificate -n test\nNAME                      READY   SECRET                   AGE\ntest-monkeyrun-net-cert   True    test-monkeyrun-net-tls   99m\n",[32,882,883,898,911],{"__ignoreMap":88},[92,884,885,887,889,891,894,896],{"class":94,"line":95},[92,886,99],{"class":98},[92,888,124],{"class":102},[92,890,276],{"class":102},[92,892,893],{"class":102}," certificate",[92,895,368],{"class":174},[92,897,758],{"class":102},[92,899,900,902,905,908],{"class":94,"line":140},[92,901,289],{"class":98},[92,903,904],{"class":102},"                      READY",[92,906,907],{"class":102},"   SECRET",[92,909,910],{"class":102},"                   AGE\n",[92,912,913,916,918,921],{"class":94,"line":164},[92,914,915],{"class":98},"test-monkeyrun-net-cert",[92,917,698],{"class":102},[92,919,920],{"class":102},"    test-monkeyrun-net-tls",[92,922,923],{"class":102},"   99m\n",[28,925,926,927,930,931,934,935,937],{},"将该证书配置到 ",[32,928,929],{},"test.monkeyrun.net"," 的 ",[32,932,933],{},"ingress"," 上，测试 ",[32,936,34],{}," 访问，成功。",[71,939,941],{"id":940},"创建deployment时自动签发证书",[942,943,944],"del",{},"创建Deployment时自动签发证书",[28,946,947],{},[942,948,949,950],{},"创建 ",[32,951,952],{},"test-nginx.yaml",[83,954,956],{"className":471,"code":955,"language":473,"meta":88,"style":88},"apiVersion: extensions\u002Fv1beta1\nkind: Deployment\nmetadata:\n  name: test-nginx\n  namespace: test\nspec:\n  replicas: 1\n  template:\n    metadata:\n      labels:\n        run: test-nginx\n    spec:\n      containers:\n        - name: test-nginx\n          image: nginx\n          ports:\n            - containerPort: 80\n---\napiVersion: v1\nkind: Service\nmetadata:\n  name: test-nginx\n  namespace: test\n  labels:\n    app: test-nginx\nspec:\n  ports:\n    - port: 80\n      protocol: TCP\n      name: http\n  selector:\n    run: test-nginx\n---\napiVersion: extensions\u002Fv1beta1\nkind: Ingress\nmetadata:\n  name: test-nginx\n  namespace: test\n  annotations:\n    kubernetes.io\u002Fingress.class: nginx\n    kubernetes.io\u002Ftls-acme: 'true'\n    certmanager.io\u002Fcluster-issuer: letsencrypt-prod\nspec:\n  rules:\n    - host: test.monkeyrun.net\n      http:\n        paths:\n          - backend:\n              serviceName: test-nginx\n              servicePort: 80\n            path: \u002F\n  tls:\n    - secretName: tls-test-monkeyrun-net\n      hosts:\n        - test.monkeyrun.net\n",[32,957,958,967,976,982,991,999,1005,1015,1022,1029,1036,1045,1052,1059,1071,1080,1087,1101,1107,1117,1127,1134,1143,1152,1159,1169,1176,1184,1196,1207,1217,1225,1235,1240,1249,1259,1266,1275,1284,1292,1302,1319,1329,1336,1344,1356,1364,1372,1383,1393,1403,1414,1422,1435,1443],{"__ignoreMap":88},[92,959,960,962,964],{"class":94,"line":95},[92,961,481],{"class":480},[92,963,485],{"class":484},[92,965,966],{"class":102}," extensions\u002Fv1beta1\n",[92,968,969,971,973],{"class":94,"line":140},[92,970,493],{"class":480},[92,972,485],{"class":484},[92,974,975],{"class":102}," Deployment\n",[92,977,978,980],{"class":94,"line":164},[92,979,503],{"class":480},[92,981,506],{"class":484},[92,983,984,986,988],{"class":94,"line":187},[92,985,528],{"class":480},[92,987,485],{"class":484},[92,989,990],{"class":102}," test-nginx\n",[92,992,993,995,997],{"class":94,"line":210},[92,994,753],{"class":480},[92,996,485],{"class":484},[92,998,758],{"class":102},[92,1000,1001,1003],{"class":94,"line":420},[92,1002,542],{"class":480},[92,1004,506],{"class":484},[92,1006,1007,1010,1012],{"class":94,"line":539},[92,1008,1009],{"class":480},"  replicas",[92,1011,485],{"class":484},[92,1013,1014],{"class":315}," 1\n",[92,1016,1017,1020],{"class":94,"line":547},[92,1018,1019],{"class":480},"  template",[92,1021,506],{"class":484},[92,1023,1024,1027],{"class":94,"line":555},[92,1025,1026],{"class":480},"    metadata",[92,1028,506],{"class":484},[92,1030,1031,1034],{"class":94,"line":569},[92,1032,1033],{"class":480},"      labels",[92,1035,506],{"class":484},[92,1037,1038,1041,1043],{"class":94,"line":577},[92,1039,1040],{"class":480},"        run",[92,1042,485],{"class":484},[92,1044,990],{"class":102},[92,1046,1047,1050],{"class":94,"line":588},[92,1048,1049],{"class":480},"    spec",[92,1051,506],{"class":484},[92,1053,1054,1057],{"class":94,"line":596},[92,1055,1056],{"class":480},"      containers",[92,1058,506],{"class":484},[92,1060,1061,1064,1067,1069],{"class":94,"line":607},[92,1062,1063],{"class":484},"        -",[92,1065,1066],{"class":480}," name",[92,1068,485],{"class":484},[92,1070,990],{"class":102},[92,1072,1073,1076,1078],{"class":94,"line":615},[92,1074,1075],{"class":480},"          image",[92,1077,485],{"class":484},[92,1079,604],{"class":102},[92,1081,1082,1085],{"class":94,"line":628},[92,1083,1084],{"class":480},"          ports",[92,1086,506],{"class":484},[92,1088,1090,1093,1096,1098],{"class":94,"line":1089},17,[92,1091,1092],{"class":484},"            -",[92,1094,1095],{"class":480}," containerPort",[92,1097,485],{"class":484},[92,1099,1100],{"class":315}," 80\n",[92,1102,1104],{"class":94,"line":1103},18,[92,1105,1106],{"class":98},"---\n",[92,1108,1110,1112,1114],{"class":94,"line":1109},19,[92,1111,481],{"class":480},[92,1113,485],{"class":484},[92,1115,1116],{"class":102}," v1\n",[92,1118,1120,1122,1124],{"class":94,"line":1119},20,[92,1121,493],{"class":480},[92,1123,485],{"class":484},[92,1125,1126],{"class":102}," Service\n",[92,1128,1130,1132],{"class":94,"line":1129},21,[92,1131,503],{"class":480},[92,1133,506],{"class":484},[92,1135,1137,1139,1141],{"class":94,"line":1136},22,[92,1138,528],{"class":480},[92,1140,485],{"class":484},[92,1142,990],{"class":102},[92,1144,1146,1148,1150],{"class":94,"line":1145},23,[92,1147,753],{"class":480},[92,1149,485],{"class":484},[92,1151,758],{"class":102},[92,1153,1155,1157],{"class":94,"line":1154},24,[92,1156,511],{"class":480},[92,1158,506],{"class":484},[92,1160,1162,1165,1167],{"class":94,"line":1161},25,[92,1163,1164],{"class":480},"    app",[92,1166,485],{"class":484},[92,1168,990],{"class":102},[92,1170,1172,1174],{"class":94,"line":1171},26,[92,1173,542],{"class":480},[92,1175,506],{"class":484},[92,1177,1179,1182],{"class":94,"line":1178},27,[92,1180,1181],{"class":480},"  ports",[92,1183,506],{"class":484},[92,1185,1187,1189,1192,1194],{"class":94,"line":1186},28,[92,1188,815],{"class":484},[92,1190,1191],{"class":480}," port",[92,1193,485],{"class":484},[92,1195,1100],{"class":315},[92,1197,1199,1202,1204],{"class":94,"line":1198},29,[92,1200,1201],{"class":480},"      protocol",[92,1203,485],{"class":484},[92,1205,1206],{"class":102}," TCP\n",[92,1208,1210,1212,1214],{"class":94,"line":1209},30,[92,1211,618],{"class":480},[92,1213,485],{"class":484},[92,1215,1216],{"class":102}," http\n",[92,1218,1220,1223],{"class":94,"line":1219},31,[92,1221,1222],{"class":480},"  selector",[92,1224,506],{"class":484},[92,1226,1228,1231,1233],{"class":94,"line":1227},32,[92,1229,1230],{"class":480},"    run",[92,1232,485],{"class":484},[92,1234,990],{"class":102},[92,1236,1238],{"class":94,"line":1237},33,[92,1239,1106],{"class":98},[92,1241,1243,1245,1247],{"class":94,"line":1242},34,[92,1244,481],{"class":480},[92,1246,485],{"class":484},[92,1248,966],{"class":102},[92,1250,1252,1254,1256],{"class":94,"line":1251},35,[92,1253,493],{"class":480},[92,1255,485],{"class":484},[92,1257,1258],{"class":102}," Ingress\n",[92,1260,1262,1264],{"class":94,"line":1261},36,[92,1263,503],{"class":480},[92,1265,506],{"class":484},[92,1267,1269,1271,1273],{"class":94,"line":1268},37,[92,1270,528],{"class":480},[92,1272,485],{"class":484},[92,1274,990],{"class":102},[92,1276,1278,1280,1282],{"class":94,"line":1277},38,[92,1279,753],{"class":480},[92,1281,485],{"class":484},[92,1283,758],{"class":102},[92,1285,1287,1290],{"class":94,"line":1286},39,[92,1288,1289],{"class":480},"  annotations",[92,1291,506],{"class":484},[92,1293,1295,1298,1300],{"class":94,"line":1294},40,[92,1296,1297],{"class":480},"    kubernetes.io\u002Fingress.class",[92,1299,485],{"class":484},[92,1301,604],{"class":102},[92,1303,1305,1308,1310,1314,1316],{"class":94,"line":1304},41,[92,1306,1307],{"class":480},"    kubernetes.io\u002Ftls-acme",[92,1309,485],{"class":484},[92,1311,1313],{"class":1312},"sjJ54"," '",[92,1315,158],{"class":102},[92,1317,1318],{"class":1312},"'\n",[92,1320,1322,1325,1327],{"class":94,"line":1321},42,[92,1323,1324],{"class":480},"    certmanager.io\u002Fcluster-issuer",[92,1326,485],{"class":484},[92,1328,523],{"class":102},[92,1330,1332,1334],{"class":94,"line":1331},43,[92,1333,542],{"class":480},[92,1335,506],{"class":484},[92,1337,1339,1342],{"class":94,"line":1338},44,[92,1340,1341],{"class":480},"  rules",[92,1343,506],{"class":484},[92,1345,1347,1349,1352,1354],{"class":94,"line":1346},45,[92,1348,815],{"class":484},[92,1350,1351],{"class":480}," host",[92,1353,485],{"class":484},[92,1355,818],{"class":102},[92,1357,1359,1362],{"class":94,"line":1358},46,[92,1360,1361],{"class":480},"      http",[92,1363,506],{"class":484},[92,1365,1367,1370],{"class":94,"line":1366},47,[92,1368,1369],{"class":480},"        paths",[92,1371,506],{"class":484},[92,1373,1375,1378,1381],{"class":94,"line":1374},48,[92,1376,1377],{"class":484},"          -",[92,1379,1380],{"class":480}," backend",[92,1382,506],{"class":484},[92,1384,1386,1389,1391],{"class":94,"line":1385},49,[92,1387,1388],{"class":480},"              serviceName",[92,1390,485],{"class":484},[92,1392,990],{"class":102},[92,1394,1396,1399,1401],{"class":94,"line":1395},50,[92,1397,1398],{"class":480},"              servicePort",[92,1400,485],{"class":484},[92,1402,1100],{"class":315},[92,1404,1406,1409,1411],{"class":94,"line":1405},51,[92,1407,1408],{"class":480},"            path",[92,1410,485],{"class":484},[92,1412,1413],{"class":102}," \u002F\n",[92,1415,1417,1420],{"class":94,"line":1416},52,[92,1418,1419],{"class":480},"  tls",[92,1421,506],{"class":484},[92,1423,1425,1427,1430,1432],{"class":94,"line":1424},53,[92,1426,815],{"class":484},[92,1428,1429],{"class":480}," secretName",[92,1431,485],{"class":484},[92,1433,1434],{"class":102}," tls-test-monkeyrun-net\n",[92,1436,1438,1441],{"class":94,"line":1437},54,[92,1439,1440],{"class":480},"      hosts",[92,1442,506],{"class":484},[92,1444,1446,1448],{"class":94,"line":1445},55,[92,1447,1063],{"class":484},[92,1449,818],{"class":102},[28,1451,1452],{},[942,1453,1454,1455,1458,1459,1462,1463,454,1466,1469,1470,1472],{},"删除之前手动创建的 ",[32,1456,1457],{},"Deployment","、",[32,1460,1461],{},"Service"," 、 ",[32,1464,1465],{},"Ingress",[32,1467,1468],{},"Secret"," 后， 应用 ",[32,1471,473],{}," 来自动创建",[83,1474,1476],{"className":85,"code":1475,"language":87,"meta":88,"style":88},"$ kubectl apply -f test-nginx.yaml\n",[32,1477,1478],{"__ignoreMap":88},[92,1479,1480,1482,1484,1486,1488],{"class":94,"line":95},[92,1481,99],{"class":98},[92,1483,124],{"class":102},[92,1485,171],{"class":102},[92,1487,178],{"class":174},[92,1489,1490],{"class":102}," test-nginx.yaml\n",[28,1492,1493],{},[942,1494,1495,1496,1499],{},"打开 ",[32,1497,1498],{},"https:\u002F\u002Ftest.monkeyrun.net"," 测试，成功！",[28,1501,1502],{},"不知为何再次使用自动签发证书的时候会报错：",[83,1504,1509],{"className":1505,"code":1507,"language":1508},[1506],"language-text","E0330 07:46:30.070412       1 sync.go:57] cert-manager\u002Fcontroller\u002Fingress-shim \"msg\"=\"failed to determine issuer to be used for ingress resource\" \"error\"=\"failed to determine issuer name to be used for ingress resource\" \"resource_kind\"=\"Ingress\" \"resource_name\"=\"xxx\" \"resource_namespace\"=\"xxx\"\n","text",[32,1510,1507],{"__ignoreMap":88},[28,1512,1513],{},"解决了半天都没能找到问题，所以还是用手动签发吧，反正也是一次性的操作。",[71,1515,1517],{"id":1516},"通过-dns-验证域名","通过 DNS 验证域名",[28,1519,1520],{},"刚才通过 http01 的方式验证域名会有个问题，对于已经部署上线的项目，没办法去验证，所以可以通过 dns 的方式来验证。",[28,1522,1523],{},[942,1524,1525,1526,1533,1534,1539,1540,1543,1544,1546,1547,1552,1553,1558],{},"经过搜寻，找到了几篇文章，都是利用 ",[1527,1528,1532],"a",{"href":1529,"rel":1530},"https:\u002F\u002Fgithub.com\u002Fkevinniu666",[1531],"nofollow","kevinniu666"," 这位仁兄基于  ",[1527,1535,1538],{"href":1536,"rel":1537},"https:\u002F\u002Fgithub.com\u002Fjetstack\u002Fcert-manager-webhook-example",[1531],"jetstack\u002Fcert-manager-webhook-example"," 改成 ",[32,1541,1542],{},"alidns"," 的版本来搞的，不过尝试了下，他这里面 ",[32,1545,227],{}," 版本太老已经跑不起来了，从 GitHub 的 forks 树里面找到了最新的一个 fork，",[1527,1548,1551],{"href":1549,"rel":1550},"https:\u002F\u002Fgithub.com\u002Fcolprog\u002Fcert-manager-webhook-alidns",[1531],"colprog\u002Fcert0manager-webhooks-alidns","，尝试了下，也不行，他应该是改了镜像，但是不可用了。重新尝试了下上一代 fork ",[1527,1554,1557],{"href":1555,"rel":1556},"https:\u002F\u002Fgithub.com\u002Fpangzineng\u002Fcert-manager-webhook-alidns",[1531],"pangzineng\u002Fcert-manager-webhook-alidns","，可用。",[83,1560,1562],{"className":85,"code":1561,"language":87,"meta":88,"style":88},"$ git clone https:\u002F\u002Fgithub.com\u002Fpangzineng\u002Fcert-manager-webhook-alidns.git\n$ cd cert-manager-webhook-alidns\n$ helm install cert-manager-webhook-alidns --namespace=cert-manager .\u002Fdeploy\u002Fwebhook-alidns\n",[32,1563,1564,1577,1587],{"__ignoreMap":88},[92,1565,1566,1568,1571,1574],{"class":94,"line":95},[92,1567,99],{"class":98},[92,1569,1570],{"class":102}," git",[92,1572,1573],{"class":102}," clone",[92,1575,1576],{"class":102}," https:\u002F\u002Fgithub.com\u002Fpangzineng\u002Fcert-manager-webhook-alidns.git\n",[92,1578,1579,1581,1584],{"class":94,"line":140},[92,1580,99],{"class":98},[92,1582,1583],{"class":102}," cd",[92,1585,1586],{"class":102}," cert-manager-webhook-alidns\n",[92,1588,1589,1591,1593,1595,1598,1601],{"class":94,"line":164},[92,1590,99],{"class":98},[92,1592,192],{"class":102},[92,1594,106],{"class":102},[92,1596,1597],{"class":102}," cert-manager-webhook-alidns",[92,1599,1600],{"class":174}," --namespace=cert-manager",[92,1602,1603],{"class":102}," .\u002Fdeploy\u002Fwebhook-alidns\n",[28,1605,1606],{},[942,1607,1608],{},"创建 alidns AccessKey Id 和 Secret",[83,1610,1612],{"className":85,"code":1611,"language":87,"meta":88,"style":88},"$ kubectl -n cert-manager create secret generic alidns-access-key-id --from-literal=accessKeyId='xxxxxxx'\n$ kubectl -n cert-manager create secret generic alidns-access-key-secret --from-literal=accessKeySecret='xxxxxxx'\n",[32,1613,1614,1646],{"__ignoreMap":88},[92,1615,1616,1618,1620,1622,1624,1626,1629,1632,1635,1638,1641,1644],{"class":94,"line":95},[92,1617,99],{"class":98},[92,1619,124],{"class":102},[92,1621,368],{"class":174},[92,1623,133],{"class":102},[92,1625,127],{"class":102},[92,1627,1628],{"class":102}," secret",[92,1630,1631],{"class":102}," generic",[92,1633,1634],{"class":102}," alidns-access-key-id",[92,1636,1637],{"class":174}," --from-literal=accessKeyId=",[92,1639,1640],{"class":1312},"'",[92,1642,1643],{"class":102},"xxxxxxx",[92,1645,1318],{"class":1312},[92,1647,1648,1650,1652,1654,1656,1658,1660,1662,1665,1668,1670,1672],{"class":94,"line":140},[92,1649,99],{"class":98},[92,1651,124],{"class":102},[92,1653,368],{"class":174},[92,1655,133],{"class":102},[92,1657,127],{"class":102},[92,1659,1628],{"class":102},[92,1661,1631],{"class":102},[92,1663,1664],{"class":102}," alidns-access-key-secret",[92,1666,1667],{"class":174}," --from-literal=accessKeySecret=",[92,1669,1640],{"class":1312},[92,1671,1643],{"class":102},[92,1673,1318],{"class":1312},[28,1675,1676,1677],{},"更新：使用 ",[1527,1678,1681],{"href":1679,"rel":1680},"https:\u002F\u002Fgithub.com\u002Fpragkent\u002Falidns-webhook\u002Ftree\u002Fmaster",[1531],"pragkent\u002Falidns-webhook",[28,1683,1684,1685],{},"修改我们之前创建的 ",[32,1686,467],{},[83,1688,1690],{"className":471,"code":1689,"language":473,"meta":88,"style":88},"apiVersion: cert-manager.io\u002Fv1\nkind: ClusterIssuer\nmetadata:\n  labels:\n    name: letsencrypt-prod\n  name: letsencrypt-prod # 自定义的签发机构名称，后面会引用\nspec:\n  acme:\n    email: yourname@youremail.com # 你的邮箱，证书快过期的时候会邮件提醒，不过我们可以设置自动续期\n    solvers:\n      - dns01:\n          webhook:\n            groupName: yourgroup.com\n            solverName: alidns\n            config:\n              region: ''\n              accessKeySecretRef:\n                name: alidns-secret\n                key: access-key\n              secretKeySecretRef:\n                name: alidns-secret\n                key: secret-key\n    privateKeySecretRef:\n      name: letsencrypt-prod-account-key # 指示此签发机构的私钥将要存储到哪个 Secret 对象中\n    server: https:\u002F\u002Facme-v02.api.letsencrypt.org\u002Fdirectory # acme 协议的服务端，我们用 Let's Encrypt\n",[32,1691,1692,1701,1709,1715,1721,1729,1739,1745,1751,1761,1767,1776,1783,1793,1803,1810,1820,1827,1837,1847,1854,1862,1871,1877,1888],{"__ignoreMap":88},[92,1693,1694,1696,1698],{"class":94,"line":95},[92,1695,481],{"class":480},[92,1697,485],{"class":484},[92,1699,1700],{"class":102}," cert-manager.io\u002Fv1\n",[92,1702,1703,1705,1707],{"class":94,"line":140},[92,1704,493],{"class":480},[92,1706,485],{"class":484},[92,1708,498],{"class":102},[92,1710,1711,1713],{"class":94,"line":164},[92,1712,503],{"class":480},[92,1714,506],{"class":484},[92,1716,1717,1719],{"class":94,"line":187},[92,1718,511],{"class":480},[92,1720,506],{"class":484},[92,1722,1723,1725,1727],{"class":94,"line":210},[92,1724,518],{"class":480},[92,1726,485],{"class":484},[92,1728,523],{"class":102},[92,1730,1731,1733,1735,1737],{"class":94,"line":420},[92,1732,528],{"class":480},[92,1734,485],{"class":484},[92,1736,533],{"class":102},[92,1738,536],{"class":136},[92,1740,1741,1743],{"class":94,"line":539},[92,1742,542],{"class":480},[92,1744,506],{"class":484},[92,1746,1747,1749],{"class":94,"line":547},[92,1748,550],{"class":480},[92,1750,506],{"class":484},[92,1752,1753,1755,1757,1759],{"class":94,"line":555},[92,1754,558],{"class":480},[92,1756,485],{"class":484},[92,1758,563],{"class":102},[92,1760,566],{"class":136},[92,1762,1763,1765],{"class":94,"line":569},[92,1764,572],{"class":480},[92,1766,506],{"class":484},[92,1768,1769,1771,1774],{"class":94,"line":577},[92,1770,580],{"class":484},[92,1772,1773],{"class":480}," dns01",[92,1775,506],{"class":484},[92,1777,1778,1781],{"class":94,"line":588},[92,1779,1780],{"class":480},"          webhook",[92,1782,506],{"class":484},[92,1784,1785,1788,1790],{"class":94,"line":596},[92,1786,1787],{"class":480},"            groupName",[92,1789,485],{"class":484},[92,1791,1792],{"class":102}," yourgroup.com\n",[92,1794,1795,1798,1800],{"class":94,"line":607},[92,1796,1797],{"class":480},"            solverName",[92,1799,485],{"class":484},[92,1801,1802],{"class":102}," alidns\n",[92,1804,1805,1808],{"class":94,"line":615},[92,1806,1807],{"class":480},"            config",[92,1809,506],{"class":484},[92,1811,1812,1815,1817],{"class":94,"line":628},[92,1813,1814],{"class":480},"              region",[92,1816,485],{"class":484},[92,1818,1819],{"class":1312}," ''\n",[92,1821,1822,1825],{"class":94,"line":1089},[92,1823,1824],{"class":480},"              accessKeySecretRef",[92,1826,506],{"class":484},[92,1828,1829,1832,1834],{"class":94,"line":1103},[92,1830,1831],{"class":480},"                name",[92,1833,485],{"class":484},[92,1835,1836],{"class":102}," alidns-secret\n",[92,1838,1839,1842,1844],{"class":94,"line":1109},[92,1840,1841],{"class":480},"                key",[92,1843,485],{"class":484},[92,1845,1846],{"class":102}," access-key\n",[92,1848,1849,1852],{"class":94,"line":1119},[92,1850,1851],{"class":480},"              secretKeySecretRef",[92,1853,506],{"class":484},[92,1855,1856,1858,1860],{"class":94,"line":1129},[92,1857,1831],{"class":480},[92,1859,485],{"class":484},[92,1861,1836],{"class":102},[92,1863,1864,1866,1868],{"class":94,"line":1136},[92,1865,1841],{"class":480},[92,1867,485],{"class":484},[92,1869,1870],{"class":102}," secret-key\n",[92,1872,1873,1875],{"class":94,"line":1145},[92,1874,610],{"class":480},[92,1876,506],{"class":484},[92,1878,1879,1881,1883,1886],{"class":94,"line":1154},[92,1880,618],{"class":480},[92,1882,485],{"class":484},[92,1884,1885],{"class":102}," letsencrypt-prod-account-key",[92,1887,625],{"class":136},[92,1889,1890,1892,1894,1896],{"class":94,"line":1161},[92,1891,631],{"class":480},[92,1893,485],{"class":484},[92,1895,636],{"class":102},[92,1897,639],{"class":136},[28,1899,642,1900],{},[32,1901,473],{},[83,1903,1904],{"className":85,"code":647,"language":87,"meta":88,"style":88},[32,1905,1906],{"__ignoreMap":88},[92,1907,1908,1910,1912,1914,1916],{"class":94,"line":95},[92,1909,99],{"class":98},[92,1911,124],{"class":102},[92,1913,127],{"class":102},[92,1915,178],{"class":174},[92,1917,662],{"class":102},[28,1919,665],{},[83,1921,1922],{"className":85,"code":668,"language":87,"meta":88,"style":88},[32,1923,1924,1934,1942],{"__ignoreMap":88},[92,1925,1926,1928,1930,1932],{"class":94,"line":95},[92,1927,99],{"class":98},[92,1929,124],{"class":102},[92,1931,276],{"class":102},[92,1933,681],{"class":102},[92,1935,1936,1938,1940],{"class":94,"line":140},[92,1937,289],{"class":98},[92,1939,688],{"class":102},[92,1941,301],{"class":102},[92,1943,1944,1946,1948],{"class":94,"line":164},[92,1945,695],{"class":98},[92,1947,698],{"class":102},[92,1949,701],{"class":102},[28,1951,1952],{},"重新手动签发证书，验证，成功！",[28,1954,1955],{},"PS：需要注意的是，从 http01 认证修改到 dns01 认证后，有个坑，会一直失败，查看 cert-manager 的 Pod 日志，会发现如下错误：",[83,1957,1961],{"className":1958,"code":1959,"language":1960,"meta":88,"style":88},"language-log shiki shiki-themes material-theme-lighter github-light github-dark","cert-manager\u002Fcontroller\u002Forders \"msg\"=\"Failed to determine the list of Challenge resources needed for the Order\" \"error\"=\"no configured challenge solvers can be used for this challenge\" \"resource_kind\"=\"Order\" \"resource_name\"=\"xxx\"\n","log",[32,1962,1963],{"__ignoreMap":88},[92,1964,1965,1969,1972,1975,1978,1981,1983,1986,1989,1991,1994,1997,1999],{"class":94,"line":95},[92,1966,1968],{"class":1967},"su5hD","cert-manager\u002Fcontroller\u002Forders ",[92,1970,1971],{"class":102},"\"msg\"",[92,1973,1974],{"class":1967},"=",[92,1976,1977],{"class":102},"\"Failed to determine the list of Challenge resources needed for the Order\"",[92,1979,1980],{"class":102}," \"error\"",[92,1982,1974],{"class":1967},[92,1984,1985],{"class":102},"\"no configured challenge solvers can be used for this challenge\"",[92,1987,1988],{"class":102}," \"resource_kind\"",[92,1990,1974],{"class":1967},[92,1992,1993],{"class":102},"\"Order\"",[92,1995,1996],{"class":102}," \"resource_name\"",[92,1998,1974],{"class":1967},[92,2000,2001],{"class":102},"\"xxx\"\n",[28,2003,2004,2005,2010,2011,2016,2017,2019],{},"研究了半天都没成功，后来在 GitHub 上找到了这个 ",[1527,2006,2009],{"href":2007,"rel":2008},"https:\u002F\u002Fgithub.com\u002Fjetstack\u002Fcert-manager\u002Fissues\u002F2494#issuecomment-585391545",[1531],"Issue","，按照 ",[1527,2012,2015],{"href":2013,"rel":2014},"https:\u002F\u002Fgithub.com\u002Fdemisx",[1531],"demisx"," 这位仁兄的建议，把所有和 ",[32,2018,227],{}," 相关的东西全部删除重新用 dns01 的方式部署一遍就 OK 了。",[28,2021,2022,2023,2026,2027,2030],{},"另外，cert-manager 的 API group 从 ",[32,2024,2025],{},"certmanager.k8s.io"," 改到 ",[32,2028,2029],{},"certmanager.io"," 了，不少老教程里面仍然是前者，需要改为后者才能正常执行。",[2032,2033,2034,2037],"blockquote",{},[28,2035,2036],{},"参考链接",[2038,2039,2040,2048,2055,2062],"ul",{},[2041,2042,2043],"li",{},[1527,2044,2047],{"href":2045,"rel":2046},"https:\u002F\u002Fdocs.bitnami.com\u002Fkubernetes\u002Fhow-to\u002Fsecure-kubernetes-services-with-ingress-tls-letsencrypt\u002F",[1531],"Secure Kubernetes Services With Ingress, TLS And Let's Encrypt",[2041,2049,2050],{},[1527,2051,2054],{"href":2052,"rel":2053},"https:\u002F\u002Fxuchao918.github.io\u002F2019\u002F03\u002F14\u002F%E2%95%A9%E2%95%A3%E2%95%99%E2%94%9Ccert-manager%E2%95%A9%E2%95%A1%E2%95%A7%E2%95%93Ingress-https\u002F",[1531],"使用 cert-manager 实现 Ingress https",[2041,2056,2057],{},[1527,2058,2061],{"href":2059,"rel":2060},"https:\u002F\u002Fyq.aliyun.com\u002Farticles\u002F718711",[1531],"使用 cert-manager 给阿里云的 DNS 域名授权 SSL 证书",[2041,2063,2064],{},[1527,2065,2068],{"href":2066,"rel":2067},"https:\u002F\u002Fcert-manager.io\u002Fdocs\u002F",[1531],"cert-manager docs",[2070,2071,2072],"style",{},"html pre.shiki code .sbgvK, html code.shiki .sbgvK{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .s_sjI, html code.shiki .s_sjI{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sutJx, html code.shiki .sutJx{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit}html pre.shiki code .s39Yj, html code.shiki .s39Yj{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .stzsN, html code.shiki .stzsN{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .srdBf, html code.shiki .srdBf{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .sjJ54, html code.shiki .sjJ54{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .su5hD, html code.shiki .su5hD{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8}html pre.shiki code .sQzsp, html code.shiki .sQzsp{--shiki-light:#E53935;--shiki-default:#22863A;--shiki-dark:#85E89D}html pre.shiki code .sP7_E, html code.shiki .sP7_E{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8}",{"title":88,"searchDepth":140,"depth":140,"links":2074},[],null,"png","2020-02-27","很多博主的 https 证书经常容易忘记更新，虽说证书过期前都会有邮件提醒，但是万一确实忙得没时间去处理，忘记了，就会出现证书过期的情况了。",false,"md",{},"\u002Fposts\u002F2020\u002Fk8s-cert-manager-tls",{"text":2084,"minutes":2085,"time":2086,"words":2087},"8 min read",7.465,447900,1493,{"title":23,"description":2078},{"loc":2082},"posts\u002F2020\u002F20200227.k8s-cert-manager-tls",[2092,2093,48,2094,2095],"技术","阿里云","DevOps","Docker","天气晴","2aJ6T7QGEjJQr4Yy8PkK08lqxa4n-rxsCy0mGJw2oBY",{"id":2099,"title":2100,"body":2101,"class":2075,"cover":2076,"coverSize":2075,"date":2236,"description":2237,"draft":2079,"extension":2080,"hideComments":2079,"location":2075,"meta":2238,"navigation":386,"path":2239,"readingTime":2240,"seo":2245,"sitemap":2246,"stem":2247,"tags":2248,"time":2075,"weather":2075,"__hash__":2249},"posts\u002Fposts\u002F2020\u002F20200215.batch-edit-acl-for-oss.md","批量修改阿里云 OSS 的 ACL 权限",{"type":25,"value":2102,"toc":2234},[2103,2109,2116,2121,2170,2173,2191,2195,2228,2231],[28,2104,2105,2108],{},[32,2106,2107],{},"oss-browser"," 是个好工具，但是在修改 ACL 权限上比较蛋疼，只能单个文件设置，不支持批量设置，这在某些默认 ACL 权限为私有的 bucket 上，需要批量设置某个目录为公共读时，会比较不便。",[28,2110,2111,2112,2115],{},"经过搜索，阿里云官方的 ",[32,2113,2114],{},"ossutil"," 工具可以用来解决这个问题。",[2117,2118,2120],"h5",{"id":2119},"下载以-mac-系统为例","下载（以 Mac 系统为例）",[83,2122,2124],{"className":85,"code":2123,"language":87,"meta":88,"style":88},"curl -o ossutilmac64 http:\u002F\u002Fgosspublic.alicdn.com\u002Fossutil\u002F1.6.10\u002Fossutilmac64\n\nchmod 755 ossutilmac64\n\n.\u002Fossutilmac64 config # 按照提示填写相关配置，参考https:\u002F\u002Fhelp.aliyun.com\u002Fdocument_detail\u002F120075.html\n",[32,2125,2126,2140,2144,2155,2159],{"__ignoreMap":88},[92,2127,2128,2131,2134,2137],{"class":94,"line":95},[92,2129,2130],{"class":98},"curl",[92,2132,2133],{"class":174}," -o",[92,2135,2136],{"class":102}," ossutilmac64",[92,2138,2139],{"class":102}," http:\u002F\u002Fgosspublic.alicdn.com\u002Fossutil\u002F1.6.10\u002Fossutilmac64\n",[92,2141,2142],{"class":94,"line":140},[92,2143,387],{"emptyLinePlaceholder":386},[92,2145,2146,2149,2152],{"class":94,"line":164},[92,2147,2148],{"class":98},"chmod",[92,2150,2151],{"class":315}," 755",[92,2153,2154],{"class":102}," ossutilmac64\n",[92,2156,2157],{"class":94,"line":187},[92,2158,387],{"emptyLinePlaceholder":386},[92,2160,2161,2164,2167],{"class":94,"line":210},[92,2162,2163],{"class":98},".\u002Fossutilmac64",[92,2165,2166],{"class":102}," config",[92,2168,2169],{"class":136}," # 按照提示填写相关配置，参考https:\u002F\u002Fhelp.aliyun.com\u002Fdocument_detail\u002F120075.html\n",[2117,2171,2172],{"id":2172},"测试配置是否正确",[83,2174,2176],{"className":85,"code":2175,"language":87,"meta":88,"style":88},".\u002Fossutilmac64 ls oss:\u002F\u002Fyour-bucket-name\u002F # 看看能否列出文件列表\n",[32,2177,2178],{"__ignoreMap":88},[92,2179,2180,2182,2185,2188],{"class":94,"line":95},[92,2181,2163],{"class":98},[92,2183,2184],{"class":102}," ls",[92,2186,2187],{"class":102}," oss:\u002F\u002Fyour-bucket-name\u002F",[92,2189,2190],{"class":136}," # 看看能否列出文件列表\n",[2117,2192,2194],{"id":2193},"批量设置-acl-权限","批量设置 ACL 权限",[83,2196,2198],{"className":85,"code":2197,"language":87,"meta":88,"style":88},".\u002Fossutilmac64 set-acl oss:\u002F\u002Fyour-bucket-name\u002Fyour-folder\u002F public-read --include \"*\" -r\n",[32,2199,2200],{"__ignoreMap":88},[92,2201,2202,2204,2207,2210,2213,2216,2219,2222,2225],{"class":94,"line":95},[92,2203,2163],{"class":98},[92,2205,2206],{"class":102}," set-acl",[92,2208,2209],{"class":102}," oss:\u002F\u002Fyour-bucket-name\u002Fyour-folder\u002F",[92,2211,2212],{"class":102}," public-read",[92,2214,2215],{"class":174}," --include",[92,2217,2218],{"class":1312}," \"",[92,2220,2221],{"class":102},"*",[92,2223,2224],{"class":1312},"\"",[92,2226,2227],{"class":174}," -r\n",[28,2229,2230],{},"Done.",[2070,2232,2233],{},"html pre.shiki code .sbgvK, html code.shiki .sbgvK{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .stzsN, html code.shiki .stzsN{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .s_sjI, html code.shiki .s_sjI{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .srdBf, html code.shiki .srdBf{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .sutJx, html code.shiki .sutJx{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sjJ54, html code.shiki .sjJ54{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF}",{"title":88,"searchDepth":140,"depth":140,"links":2235},[],"2020-02-15","oss-browser 是个好工具，但是在修改 ACL 权限上比较蛋疼，只能单个文件设置，不支持批量设置，这在某些默认 ACL 权限为私有的 bucket 上，需要批量设置某个目录为公共读时，会比较不便。",{},"\u002Fposts\u002F2020\u002Fbatch-edit-acl-for-oss",{"text":2241,"minutes":2242,"time":2243,"words":2244},"1 min read",0.785,47100,157,{"title":2100,"description":2237},{"loc":2239},"posts\u002F2020\u002F20200215.batch-edit-acl-for-oss",[2092,2093],"635H8eIJZi3F8cl7cZncH1GLQUxLhxnQIIUdkcjX3g8",{"id":2251,"title":2252,"body":2253,"class":2075,"cover":2075,"coverSize":2075,"date":2517,"description":88,"draft":2079,"extension":2080,"hideComments":2079,"location":2075,"meta":2518,"navigation":386,"path":2519,"readingTime":2520,"seo":2525,"sitemap":2526,"stem":2527,"tags":2528,"time":2075,"weather":2075,"__hash__":2529},"posts\u002Fposts\u002F2019\u002F20191229.aliyun-k8s-setup.md","阿里云 k8s 集群搭建",{"type":25,"value":2254,"toc":2513},[2255,2260,2266,2271,2276,2343,2352,2357,2361,2364,2436,2439,2442,2498,2510],[2256,2257,2259],"h3",{"id":2258},"为-vpc-配置-snat","为 VPC 配置 SNAT",[28,2261,2262],{},[2263,2264,2265],"strong",{},"注：SNAT 已关闭，看起来两个 ECS 节点都有公网 IP，不需要了。（2024-06-04）",[28,2267,2268],{},[942,2269,2270],{},"阿里云的 NAT 网关太贵，考虑自行搭建 SNAT。",[28,2272,2273],{},[942,2274,2275],{},"购买最廉价 ECS，配置如下设置",[83,2277,2279],{"className":85,"code":2278,"language":87,"meta":88,"style":88},"sysctl net.ipv4.ip_forward # 查看当前 IP 转发配置，0 为关闭，1 为打开\nsysctl -w net.ipv4.ip_forward=1 # 打开 IP 转发\niptables -t nat -I POSTROUTING -s 172.16.0.0\u002F16 -j SNAT --to-source 172.16.117.66\n",[32,2280,2281,2292,2308],{"__ignoreMap":88},[92,2282,2283,2286,2289],{"class":94,"line":95},[92,2284,2285],{"class":98},"sysctl",[92,2287,2288],{"class":102}," net.ipv4.ip_forward",[92,2290,2291],{"class":136}," # 查看当前 IP 转发配置，0 为关闭，1 为打开\n",[92,2293,2294,2296,2299,2302,2305],{"class":94,"line":140},[92,2295,2285],{"class":98},[92,2297,2298],{"class":174}," -w",[92,2300,2301],{"class":102}," net.ipv4.ip_forward=",[92,2303,2304],{"class":315},"1",[92,2306,2307],{"class":136}," # 打开 IP 转发\n",[92,2309,2310,2313,2316,2319,2322,2325,2328,2331,2334,2337,2340],{"class":94,"line":164},[92,2311,2312],{"class":98},"iptables",[92,2314,2315],{"class":174}," -t",[92,2317,2318],{"class":102}," nat",[92,2320,2321],{"class":174}," -I",[92,2323,2324],{"class":102}," POSTROUTING",[92,2326,2327],{"class":174}," -s",[92,2329,2330],{"class":102}," 172.16.0.0\u002F16",[92,2332,2333],{"class":174}," -j",[92,2335,2336],{"class":102}," SNAT",[92,2338,2339],{"class":174}," --to-source",[92,2341,2342],{"class":315}," 172.16.117.66\n",[28,2344,2345],{},[942,2346,2347,2348,2351],{},"去 VPC 路由表中添加 ",[32,2349,2350],{},"0.0.0.0\u002F0"," 下一跳为上述 ECS",[28,2353,2354],{},[942,2355,2356],{},"设置 iptasbles 开机启动：",[2256,2358,2360],{"id":2359},"dnat","DNAT",[28,2362,2363],{},"通过 公网 IP 访问集群管理 API",[83,2365,2367],{"className":85,"code":2366,"language":87,"meta":88,"style":88},"iptables -t nat -I PREROUTING -p tcp --dport 6443 -j DNAT --to 172.16.117.67:6443\niptables -t nat -I POSTROUTING -d 172.16.117.67\u002F32 -p tcp --dport 6443 -j MASQUERADE\n",[32,2368,2369,2405],{"__ignoreMap":88},[92,2370,2371,2373,2375,2377,2379,2382,2385,2388,2391,2394,2396,2399,2402],{"class":94,"line":95},[92,2372,2312],{"class":98},[92,2374,2315],{"class":174},[92,2376,2318],{"class":102},[92,2378,2321],{"class":174},[92,2380,2381],{"class":102}," PREROUTING",[92,2383,2384],{"class":174}," -p",[92,2386,2387],{"class":102}," tcp",[92,2389,2390],{"class":174}," --dport",[92,2392,2393],{"class":315}," 6443",[92,2395,2333],{"class":174},[92,2397,2398],{"class":102}," DNAT",[92,2400,2401],{"class":174}," --to",[92,2403,2404],{"class":102}," 172.16.117.67:6443\n",[92,2406,2407,2409,2411,2413,2415,2417,2420,2423,2425,2427,2429,2431,2433],{"class":94,"line":140},[92,2408,2312],{"class":98},[92,2410,2315],{"class":174},[92,2412,2318],{"class":102},[92,2414,2321],{"class":174},[92,2416,2324],{"class":102},[92,2418,2419],{"class":174}," -d",[92,2421,2422],{"class":102}," 172.16.117.67\u002F32",[92,2424,2384],{"class":174},[92,2426,2387],{"class":102},[92,2428,2390],{"class":174},[92,2430,2393],{"class":315},[92,2432,2333],{"class":174},[92,2434,2435],{"class":102}," MASQUERADE\n",[28,2437,2438],{},"记得开启安全组规则允许 6443 端口",[28,2440,2441],{},"在 k8s 集群信息中设置 自定义证书 SAN 为 47.111.247.217 配置证书，解决以下证书问题：",[83,2443,2445],{"className":85,"code":2444,"language":87,"meta":88,"style":88},"Unable to connect to the server: x509: certificate is valid for 172.21.0.1, 127.0.0.1, 7.20.49.48, 172.16.117.67, not 47.111.247.217\n",[32,2446,2447],{"__ignoreMap":88},[92,2448,2449,2452,2455,2458,2460,2463,2466,2469,2471,2474,2477,2480,2483,2486,2489,2492,2495],{"class":94,"line":95},[92,2450,2451],{"class":98},"Unable",[92,2453,2454],{"class":102}," to",[92,2456,2457],{"class":102}," connect",[92,2459,2454],{"class":102},[92,2461,2462],{"class":102}," the",[92,2464,2465],{"class":102}," server:",[92,2467,2468],{"class":102}," x509:",[92,2470,893],{"class":102},[92,2472,2473],{"class":102}," is",[92,2475,2476],{"class":102}," valid",[92,2478,2479],{"class":102}," for",[92,2481,2482],{"class":102}," 172.21.0.1,",[92,2484,2485],{"class":102}," 127.0.0.1,",[92,2487,2488],{"class":102}," 7.20.49.48,",[92,2490,2491],{"class":102}," 172.16.117.67,",[92,2493,2494],{"class":102}," not",[92,2496,2497],{"class":315}," 47.111.247.217\n",[2032,2499,2500,2503],{},[28,2501,2502],{},"参考链接：",[28,2504,2505],{},[1527,2506,2509],{"href":2507,"rel":2508},"https:\u002F\u002Fyq.aliyun.com\u002Farticles\u002F112497",[1531],"如何通过 EIP 实现 VPC 下的 SNAT 以及 DNAT",[2070,2511,2512],{},"html pre.shiki code .sbgvK, html code.shiki .sbgvK{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .s_sjI, html code.shiki .s_sjI{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sutJx, html code.shiki .sutJx{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit}html pre.shiki code .stzsN, html code.shiki .stzsN{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .srdBf, html code.shiki .srdBf{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":88,"searchDepth":140,"depth":140,"links":2514},[2515,2516],{"id":2258,"depth":164,"text":2259},{"id":2359,"depth":164,"text":2360},"2019-12-29",{},"\u002Fposts\u002F2019\u002Faliyun-k8s-setup",{"text":2521,"minutes":2522,"time":2523,"words":2524},"2 min read",1.17,70200,234,{"title":2252,"description":88},{"loc":2519},"posts\u002F2019\u002F20191229.aliyun-k8s-setup",[2092,2093,48,2094],"nx96pApv8oyqcXahwKsOs9Y-8UfgHxl4bCTvPo9djqQ",{"id":2531,"title":2532,"body":2533,"class":2075,"cover":2075,"coverSize":2075,"date":2582,"description":2583,"draft":2079,"extension":2080,"hideComments":2079,"location":2075,"meta":2584,"navigation":386,"path":2585,"readingTime":2586,"seo":2591,"sitemap":2592,"stem":2593,"tags":2594,"time":2075,"weather":2075,"__hash__":2595},"posts\u002Fposts\u002F2016\u002F20161109.aliyun-cdn-not-support-sni.md","解决阿里云 CDN 回源 https 返回 503 错误的问题",{"type":25,"value":2534,"toc":2580},[2535,2550,2557,2560,2563,2566,2574,2577],[28,2536,2537,2538,2543,2544,2549],{},"最近打算把",[1527,2539,2542],{"href":2540,"rel":2541},"https:\u002F\u002Fwww.monkeyrun.net",[1531],"www.monkeyrun.net","改成全站 https，使用的",[1527,2545,2548],{"href":2546,"rel":2547},"https:\u002F\u002Fletsencrypt.org\u002F",[1531],"Let’s Encrypt","的证书。然而在设置阿里云 CDN 的时候，阿里云 CDN 回源一直返回 503 错误，发工单，来来回回经过整整两天，终于把问题解决。容我娓娓道来。",[28,2551,2552,2553,2556],{},"最一开始，我先开启了阿里云的 CDN，源站设置为",[1527,2554,2542],{"href":2540,"rel":2555},[1531],"，通过 80 端口回源，没有任何问题。",[28,2558,2559],{},"后来当时配置好证书，站点也开启了 https 之后，将回源端口改为 443，开始出问题了，CDN 资源全部返回 503。而直接通过浏览器访问 https 的源站内容，都是没有问题的。",[28,2561,2562],{},"发工单，经过漫长的等待和提供链接等更详细的信息之后，阿里云的工作人员首先认为这个问题可能是由于我开启了防火墙或者一些安全软件导致，拦截或阻止了 CDN 节点的回源请求。我关闭了防火墙，问题依旧存在。",[28,2564,2565],{},"又经过漫长的等待以及转交专项处理人员处理之后，给我发了个抓的包，说是 CDN 回源请求被源站给 RST 了，让我检查我的服务器在网络层面是不是做了什么限制。看了半天抓包的数据，也不大看得懂，各种谷歌，最后感觉可能是协议不同，握手的时候有一个是 TLS 1.0，有一个是 TLS 1.2，谷歌了一通，被带入了另一个未知领域，尝试了各种 cipher suites，随后还是无果。",[28,2567,2568,2569,2573],{},"后来找到一个网站，测试 SSL 兼容性的，",[1527,2570,2571],{"href":2571,"rel":2572},"https:\u002F\u002Fwww.ssllabs.com\u002Fssltest\u002F",[1531],"，测试了一下网站 SSL 兼容性，发现不支持 SNI 的请求会直接 close connection。于是又问阿里工作人员，得知他们 CDN 回源时，SSL 握手不支持发送 SNI。",[28,2575,2576],{},"定位到问题了，在 IIS 站点里面，编辑网站绑定，取消勾选“需要服务器名称指示”，问题解决！",[28,2578,2579],{},"可以愉快的开启全站 https 了！",{"title":88,"searchDepth":140,"depth":140,"links":2581},[],"2016-11-09","最近打算把www.monkeyrun.net改成全站 https，使用的Let’s Encrypt的证书。然而在设置阿里云 CDN 的时候，阿里云 CDN 回源一直返回 503 错误，发工单，来来回回经过整整两天，终于把问题解决。容我娓娓道来。",{},"\u002Fposts\u002F2016\u002Faliyun-cdn-not-support-sni",{"text":2587,"minutes":2588,"time":2589,"words":2590},"3 min read",2.565,153900,513,{"title":2532,"description":2583},{"loc":2585},"posts\u002F2016\u002F20161109.aliyun-cdn-not-support-sni",[2092,2094,2093],"nHBSr5cQSJtMEotBzDat8oOGoidlnu2hPDoy8mW_Blo",1777580269474]