Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

使用自动签发证书不生效 #1318

Closed
zzzhangqi opened this issue Sep 15, 2022 · 5 comments
Closed

使用自动签发证书不生效 #1318

zzzhangqi opened this issue Sep 15, 2022 · 5 comments
Assignees
@poneding
Labels
kind/bug BUG Feedback

Comments

@zzzhangqi
Copy link
Collaborator

from the community https://t.goodrain.com/d/8242
@zzzhangqi zzzhangqi added the kind/bug BUG Feedback label Sep 15, 2022
@Issues-translate-bot
Copy link

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

Title: The use of automatic certificate issuance does not take effect

@poneding
Copy link
Collaborator

  1. cert-manager调用letsencrypt api生成证书时存在超时问题;

  2. 生成证书后,更新网关报错:
    调用接口:
    http://xxx:7070/openapi/v1/teams/xxx/regions/1/apps/2/httpdomains/xxx
    报错信息:
    httpStatus:500
    update domain rule for domain xxx err {"code":10401,"msg":"","msg_show":"服务端异常"}

  3. 手动将网关更新,使用生成的证书,可以正常使用https访问。

结论:
1. 可能需要修复console这边接口;
2,https访问可用需要一点时间;
3. let's encrypt国外接口有访问超时问题。

附:
直接使用邮箱生成证书不可取:
生成证书之前会生成dns记录,需要先将dns解析配置完成;

@Issues-translate-bot
Copy link

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

  1. There is a timeout problem when cert-manager calls letsencrypt api to generate a certificate;

  2. After the certificate is generated, the update gateway reports an error:
    Call interface:
    http://xxx:7070/openapi/v1/teams/xxx/regions/1/apps/2/httpdomains/xxx
    Error message:
    httpStatus: 500
    update domain rule for domain xxx err {"code":10401,"msg":"","msg_show":"Server exception"}

  3. Manually update the gateway and use the generated certificate to access https normally.

in conclusion:

  1. It may be necessary to repair the interface on the console side;
  2. It takes a while for https access to be available;
  3. The foreign interface of let's encrypt has access timeout problem.

Attached:
It is not advisable to use the mailbox to generate the certificate directly:
Before the certificate is generated, a dns record will be generated, and the dns resolution configuration needs to be completed first;

@poneding
Copy link
Collaborator

再加入路由重写功能后,rainbond-cert-controller更新网关由于缺少rewrites参数,导致更新失败,自签证书不生效。

@Issues-translate-bot
Copy link

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

After adding the route rewriting function, the rainbond-cert-controller update gateway fails to update due to the lack of the rewrites parameter, and the self-signed certificate does not take effect.

@poneding poneding mentioned this issue Sep 26, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@poneding poneding

Labels
kind/bug BUG Feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@poneding @zzzhangqi @Issues-translate-bot