我几个月前配置了自动SSL证书管理,如下所述：
http://docs.cert-manager.io/en/latest/tutorials/acme/dns-validation.html

对于域：< myhost> .com和dev.< myhost> .com.

所以我有两个名称空间：prod for< myhost> .com和

dev for dev.< myhost> .com.在每个命名空间中我都有入口控制器

和证书资源将证书存储到机密.

它工作正常,ClusterIssuer自动更新证书.

但是几天前我尝试在test命名空间中添加新的域名：test.< myhost> .com,具有完全相同的入口和证书配置
在prod或dev命名空间中(期望主机名和命名空间)：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
    kubernetes.io/tls-acme: 'true'
  name: app-ingress
  namespace: test
spec:
  tls:
  - hosts:
    - test.<myhost>.com
    secretName: letsencrypt-tls
  rules:
    - host: test.<myhost>.com
      http:
        paths:
        - backend:
            serviceName: web
            servicePort: 80
          path: /
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: cert-letsencrypt
  namespace: test
spec:
  secretName: letsencrypt-tls
  issuerRef:
    name: letsencrypt-prod-dns
    kind: ClusterIssuer
  commonName: 'test.<myhost>.com'
  dnsNames:
  - test.<myhost>.com
  acme:
    config:
    - dns01:
        provider: dns
      domains:
      - test.<myhost>.com

并且这种配置不起作用：证书无法秘密发现,ingress正在使用“app-ingress-fake-certificate”.

cert-manager pod显​​示了很多类似的错误：

pkg/client/informers/externalversions/factory.go:72: Failed to list *v1alpha1.Challenge: challenges.certmanager.k8s.io is forbidden: User "system:serviceaccount:kube-system:cert-manager" cannot list challenges.certmanager.k8s.io at the cluster scope
pkg/client/informers/externalversions/factory.go:72: Failed to list *v1alpha1.Order: orders.certmanager.k8s.io is forbidden: User "system:serviceaccount:kube-system:cert-manager" cannot list orders.certmanager.k8s.io at the cluster scope

并且证书没有尝试获取证书(kubectl describe -ntest cert-letsencrypt)：

API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata: ...
Spec:
  Acme:
    Config:
      Dns 01:
        Provider:  dns
      Domains:
        test.<myhost>.com
  Common Name:  test.<myhost>.com
  Dns Names:
    test.<myhost>.com
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-prod-dns
  Secret Name:  letsencrypt-tls
Events:         <none>

它应该具有其他名称空间上的证书的任何状态.

我无法理解为什么这个配置以前工作但现在不能工作.

我不确定它是否相关,但几周前我用kops更新了kubernetes,目前的版本是：

Client Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.0", GitCommit:"0ed33881dc4355495f623c6f22e7dd0b7632b7c0", GitTreeState:"archive", BuildDate:"2018-10-12T16:56:06Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.6", GitCommit:"a21fdbd78dde8f5447f5f6c331f7eb6f80bd684e", GitTreeState:"clean", BuildDate:"2018-07-26T10:04:08Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

最佳答案 这个问题的原因是Kubernetes从1.9升级到1.10.要修复它,您需要将cert-manager升级到0.5.x版本.

由于bug https://github.com/jetstack/cert-manager/issues/1134,可能无法使用helm从0.4.x升级到0.5.x.
在这种情况下,您需要存储所有颁发者和证书配置,然后删除cert-manager 0.4.x并安装0.5.x,然后从第一步开始应用所有颁发者和证书配置.