“msg”=”无法获取拥有该密钥的证书”

huangapple go评论65阅读模式
英文:

kubernetes : cert-manager/secret-for-certificate-mapper "msg"="unable to fetch certificate that owns the secret

问题

抱歉,我只能翻译文本内容,不提供问题解答。以下是您提供的文本的翻译部分:

  • "Cert-manager/secret-for-certificate-mapper" "msg"="unable to fetch certificate that owns the secret" "error"="Certificate.cert-manager.io "grafanaps-tls" not found":无法获取拥有该密钥的证书,证书 "Certificate.cert-manager.io" 中的 "grafanaps-tls" 未找到。

  • "So , from the investigation , I’m not able to find the grafanaps-tls":因此,经过调查,我无法找到 "grafanaps-tls"。

  • "> Kubectl get certificates\n> NAME READY SECRET AGE\n> Alertmanagerdf-tls False alertmanagerdf-tls 1y61d\n> Prometheusps-tls False prometheusps-tls 1y58":运行 "kubectl get certificates" 命令,结果显示了一些证书的状态。

  • "We have do this followings : The nginx ingress and cert-manager were outdated and not compatible with the Kubernetes version of 1.22 anymore. As a result, an upgrade of those components was initiated in order to restore pod operation.":我们已经采取以下措施:Nginx Ingress 和 Cert-manager 已过时,并不再与 Kubernetes 版本 1.22 兼容。因此,已启动这些组件的升级以恢复 Pod 操作。

  • "The cmctl check api -n cert-manager command now returns: The cert-manager API has been upgraded to version 1.7 and orphaned secrets have been cleaned up":现在,运行 "cmctl check api -n cert-manager" 命令返回:Cert-manager API 已升级到版本 1.7,孤立的密钥已被清理。

  • "Cert-manager/webhook "msg"="Detected root CA rotation - regenerating serving certificates"":Cert-manager/webhook "msg"="检测到根 CA 旋转 - 重新生成服务证书"。

  • "After a restart the logs looked mainly clean.":重启后,日志主要看起来很干净。

  • "For my finding , the issue is integration of cert-manager with the Kubernetes ingress controller.":根据我的发现,问题出在 cert-manager 与 Kubernetes Ingress 控制器的集成上。

  • "So I was interest in cert-manager configuration mostly on 'ingressshim' configuration and 'args' section":因此,我对 cert-manager 配置特别关注 'ingressshim' 配置和 'args' 部分。

  • "It appears that the SSL certificate for several servers has expired and looks like the issue with the certificate resources or the integration of cert-manager with the Kubernetes ingress controller.":看起来,几个服务器的 SSL 证书已经过期,似乎与证书资源或 cert-manager 与 Kubernetes Ingress 控制器的集成有关。

  • "What is the problem here, and how can it be resolved? Any help would be greatly appreciated":问题是什么,如何解决?非常感谢任何帮助。

英文:

Cert-manager/secret-for-certificate-mapper "msg"="unable to fetch certificate that owns the secret" "error"="Certificate.cert-manager.io "grafanaps-tls" not found"

So , from the investigation , I’m not able to find the grafanaps-tls

> Kubectl get certificates
> NAME READY SECRET AGE
> Alertmanagerdf-tls False alertmanagerdf-tls 1y61d
> Prometheusps-tls False prometheusps-tls 1y58

We have do this followings : The nginx ingress and cert-manager were outdated and not compatible with the Kubernetes version of 1.22 anymore. As a result, an upgrade of those components was initiated in order to restore pod operation.

The cmctl check api -n cert-manager command now returns: The cert-manager API has been upgraded to version 1.7 and orphaned secrets have been cleaned up

Cert-manager/webhook "msg"="Detected root CA rotation - regenerating serving certificates"

After a restart the logs looked mainly clean.

For my finding , the issue is integration of cert-manager with the Kubernetes ingress controlle .
So I was interest in cert-manager configuration mostly on ingressshim configuration and args section

It appears that the SSL certificate for several servers has expired and looks like the issue with the certificate resources or the integration of cert-manager with the Kubernetes ingress controller.

Config:

C:\Windows\system32>kubectl describe deployment cert-manager-cabictor -n cert-manager
Name:                   cert-manager-cabictor 
Namespace:              cert-manager
CreationTimestamp:      Thu, 01 Dec 2022 18:31:02 +0530
Labels:                 app=cabictor 
                        app.kubernetes.io/component=cabictor 
                        app.kubernetes.io/instance=cert-manager
                        app.kubernetes.io/managed-by=Helm
                        app.kubernetes.io/name=cabictor 
                        app.kubernetes.io/version=v1.7.3
                        helm.sh/chart=cert-manager-v1.7.3
Annotations:            deployment.kubernetes.io/revision: 2
                        meta.helm.sh/release-name: cert-manager
                        meta.helm.sh/release-namespace: cert-manager
Selector:               app.kubernetes.io/component=cabictor ,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cabictor 
Replicas:               1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType:           RollingUpdate
MinReadySeconds:        0
RollingUpdateStrategy:  25% max unavailable, 25% max surge
Pod Template:
  Labels:           app=cabictor 
                    app.kubernetes.io/component=cabictor 
                    app.kubernetes.io/instance=cert-manager
                    app.kubernetes.io/managed-by=Helm
                    app.kubernetes.io/name=cabictor 
                    app.kubernetes.io/version=v1.7.3
                    helm.sh/chart=cert-manager-v1.7.3
  Service Account:  cert-manager-cabictor 
  Containers:
   cert-manager:
    Image:      quay.io/jetstack/cert-manager-cabictor :v1.7.3
    Port:       <none>
    Host Port:  <none>
    Args:
      --v=2
      --leader-election-namespace=kube-system
    Environment:
      POD_NAMESPACE:   (v1:metadata.namespace)
    Mounts:           <none>
  Volumes:            <none>
Conditions:
  Type           Status  Reason
  ----           ------  ------
  Progressing    True    NewReplicaSetAvailable
  Available      True    MinimumReplicasAvailable
OldReplicaSets:  <none>
NewReplicaSet:   cert-manager-cabictor -5b65bcdbbd (1/1 replicas created)
Events:          <none>

I was not able to identify and fix the root cause here ..

What is the problem here, and how can it be resolved? Any help would be greatly appreciated

答案1

得分: 2

错误消息:

Cert-manager/secret-for-certificate-mapper "msg"="无法获取拥有该密钥的证书" "error"="Certificate.cert-manager.io "grafanaps-tls" 未找到"

上述错误消息表示,与证书文件对应的证书无法在某些命名空间中找到。

要查看密钥和证书,请执行以下命令:

kubectl get secrets -n monitoring
kubectl get certificate -n monitoring

输出将显示缺失的密钥和证书。

根据 GitHub 链接,您也可以使用以下解决方案:

GitHub Issue Link

清理/修复此问题的脚本

"无法获取拥有该密钥的证书"

此脚本将查找给定命名空间中没有匹配证书资源的 TLS 密钥,并删除它们。

用法

./clean-orphans.sh

如果未指定命名空间,将检查默认命名空间。在删除任何内容之前,您将收到提示。

有关更多信息,请参阅 cert-manager 文档。您还可以参考 Alex Ellis 撰写的关于带有 TLS 的 Grafana 仪表板的博客:

博客链接

英文:

Error message:

Cert-manager/secret-for-certificate-mapper "msg"="unable to fetch certificate that owns the secret" "error"="Certificate.cert-manager.io "grafanaps-tls" not found"

The above error message says that the certificate corresponding to the certificate file cannot be found in some namespaces

To view the secrets and certificates execute the below command:

kubectl get secrets -n monitoring

kubectl get certificate -n monitoring

The output will show the missing secret and certificate.

As per the GitHub link you can also use the solution.

https://github.com/cert-manager/cert-manager/issues/1944

> > Script to clean up/fix this issue
>
> "unable to fetch a certificate that owns the secret"
>
> This script will find TLS secrets in a given namespace which have no
> matching certificate resource and delete them.
>
> > Usage
>
> ./clean-orphans.sh <namespace>
>
> Specifying no namespace will check the default. You will be prompted
> before anything is deleted.

For more information refer to the document cer-manager. You can also refer to the blog by Alex Ellis on Grafana dashboard with TLS.

huangapple
  • 本文由 发表于 2023年2月19日 02:48:12
  • 转载请务必保留本文链接:https://go.coder-hub.com/75495622.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定