K8s with acme cert-manager problem

Hello,

I am trying cert-manager in k8s, also using nginx-ingress controller with metallb, hope any k8s expert here :slight_smile:

Centos version:
CentOS Linux release 7.8.2003 (Core)

Ingress yaml:
[root@sealos01 ingress]# kubectl get ing
NAME CLASS HOSTS ADDRESS PORTS AGE
test testing.hkitblog.com 10.0.10.140 80, 443 53m

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test
spec:
tls:

pod and svc yaml:
[root@sealos01 ingress]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
helloworld-v1 LoadBalancer 10.97.91.142 10.0.10.141 443:32280/TCP 53m
kubernetes ClusterIP 10.96.0.1 443/TCP 2d1h
my-release-nginx-ingress LoadBalancer 10.98.35.128 10.0.10.140 80:31159/TCP,443:31789/TCP 2d1h

[root@sealos01 ingress]# kubectl get pod
NAME READY STATUS RESTARTS AGE
my-release-nginx-ingress-5c57477464-lgqrz 1/1 Running 7 2d1h
testing.hkitblog.com 1/1 Running 0 53m

[root@sealos01 ingress]# cat helloworld-v1.yaml
apiVersion: v1
kind: Pod
metadata:
name: testing.hkitblog.com
labels:
app: helloworld-v1
spec:
containers:

  • name: k8s-demo
    image: 105552010/k8s-demo:v1
    ports:
    • name: nodejs-port
      containerPort: 3000

apiVersion: v1
kind: Service
metadata:
name: helloworld-v1
spec:
type: LoadBalancer
externalTrafficPolicy: Cluster
loadBalancerIP: 10.0.10.141
ports:

  • port: 443
    targetPort: 3000
    protocol: TCP
    selector:
    app: helloworld-v1

metallb yaml:
apiVersion: v1
kind: ConfigMap
metadata:
namespace: metallb-system
name: config
data:
config: |
address-pools:
- name: default
protocol: layer2
auto-assign: true
addresses:
- 10.0.10.140-10.0.10.145

cert is ready:
[root@sealos01 ingress]# kubectl get cert
NAME READY SECRET AGE
testing-hkitblog-com True testing-hkitblog-com-tls 46h

I have edited /etc/hosts 10.0.10.141 > testing.hkitblog.com in a master node.

when curl -v https://testing.hkitblog.com

  • About to connect() to testing.hkitblog.com port 443 (#0)
  • Trying 10.0.10.141…
  • Connected to testing.hkitblog.com (10.0.10.141) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • NSS error -5938 (PR_END_OF_FILE_ERROR)
  • Encountered end of file
  • Closing connection 0
    curl: (35) Encountered end of file

If change to 80 port is no problem, why CApath: none ?

Thanks!

1 Like