My domain is:suporte.klavaecia.com.br
Os desafios estão ok, o token foi gerado na urlhttp://suporte.klavaecia.com.br/.well-known/acme-challenge/JOs0RoZfu_XIKtVb2s1ZztgB3UjC8MnFL0KqQYgl8S0
mais é como se o letsencrypt não fosse verificar o domínio , e ,está apontando para o caminho correto, como eu faço para resolver ou identificar o problema
schoen
March 29, 2022, 5:17pm
2
Oi @joediego ,
Recebeu algum erro específico? Qual o comportamento do cert-manager, e em qual momento não consegue ou faz algo para indicar que não conseguiu?
2 Likes
Na verdade ele não gera nenhum erro especifico , simplesmente não gera o certificado, ai não sei se é por causa de estar atras de um nat, gostaria de saber se tem alguma coisa que eu possa verificar.
I0329 19:16:49.167591 1 solver.go:87] cert-manager/acmesolver "msg"="got successful challenge request, writing key" "base_path"="/.well-known/acme-challenge" "host"="suporte.klavaecia.com.br" "path"="/.well-known/acme-challenge/JOs0RoZfu_XIKtVb2s1ZztgB3UjC8MnFL0KqQYgl8S0" "token"="JOs0RoZfu_XIKtVb2s1ZztgB3UjC8MnFL0KqQYgl8S0"
SAIDA DO comando kubectl describe clusterissuer
Name: suporte-klavaecia-com.br-prod
Namespace:
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2022-03-29T10:34:11Z
Generation: 4
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:acme:
.:
f:email:
f:privateKeySecretRef:
.:
f:name:
f:server:
f:solvers:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2022-03-29T10:34:11Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:acme:
.:
f:lastRegisteredEmail:
f:uri:
f:conditions:
Manager: controller
Operation: Update
Subresource: status
Time: 2022-03-29T10:59:03Z
Resource Version: 20348
UID: 148f18f7-6a1f-403b-b328-e5c1d854a5bb
Spec:
Acme:
Email: jonatas@klavaecia.com.br
Preferred Chain:
Private Key Secret Ref:
Name: suporte-klavaecia-com.br-tls
Server: https://acme-v02.api.letsencrypt.org/directory
Solvers:
http01:
Ingress:
Service Type: ClusterIP
Status:
Acme:
Last Registered Email: jonatas@klavaecia.com.br
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/473503860
Conditions:
Last Transition Time: 2022-03-29T10:34:12Z
Message: The ACME account was registered with the ACME server
Observed Generation: 4
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
A SAIDA DO COMANDO kubectl describe certificaterequest
Name: suporte-klavaecia-com-br-tls-n4xbn
Namespace: default
Labels: <none>
Annotations: cert-manager.io/certificate-name: suporte-klavaecia-com-br-tls
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: suporte-klavaecia-com-br-tls-27lp6
API Version: cert-manager.io/v1
Kind: CertificateRequest
Metadata:
Creation Timestamp: 2022-03-29T11:26:05Z
Generate Name: suporte-klavaecia-com-br-tls-
Generation: 1
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:cert-manager.io/certificate-name:
f:cert-manager.io/certificate-revision:
f:cert-manager.io/private-key-secret-name:
f:generateName:
f:ownerReferences:
.:
k:{"uid":"309c6581-127f-4c50-bab8-7399fe309602"}:
f:spec:
.:
f:issuerRef:
.:
f:group:
f:kind:
f:name:
f:request:
f:usages:
Manager: controller
Operation: Update
Time: 2022-03-29T11:26:05Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:conditions:
Manager: controller
Operation: Update
Subresource: status
Time: 2022-03-29T11:26:05Z
Owner References:
API Version: cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: Certificate
Name: suporte-klavaecia-com-br-tls
UID: 309c6581-127f-4c50-bab8-7399fe309602
Resource Version: 20457
UID: 23aaf16a-3b3f-40a0-9fbc-53d1dfb59eeb
Spec:
Extra:
authentication.kubernetes.io/pod-name:
cert-manager-86b4798576-zfvgp
authentication.kubernetes.io/pod-uid:
26f843bc-f810-4683-be36-212dfcf610e0
Groups:
system:serviceaccounts
system:serviceaccounts:cert-manager
system:authenticated
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: suporte-klavaecia-com.br-prod
Request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2lEQ0NBWEFDQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1YNApWODNiTXRNUEI3LzVtampGU0ZwZFJkZXloYnhleFV5b2ZQNTFhUVQwWkRLSVpnZmdtT2ExZ29kb2t0Vmszd3B1CnQ0TmRiSGNjZjhvb2NzRlBFRXlWcTRSOEE2VlFHS2RrV1Y1VXR6a0N4a2YrbDhEbHFBY0M5ekNDb2g4Z0JjU2IKNm9yNGVPTS9udm9kOGlYelF6OCt5K1FNWjlCOGNhcm91WVZuNFdOa2JML2drRFluZjZJSGpoS05mQ2cvSERFdApWMEUyODEraDlucUYrbEpxYTlYMmNrVWxuMk9lOXh0amZjZjJJMytZVnhHQWozRUNpUDYwbFVUZUtEa2ZjRHNGCmFNY0htaFpEY1hBMS8xM1VBS0ZXdUFVQjNtRVFvNjJ3dXl6N0VyYlBqSEVmM2NtSU1wclNrRStiTGNpSDNwaW8KVXhpVEVpaEkwN1gyMUdKRTdnTUNBd0VBQWFCRE1FRUdDU3FHU0liM0RRRUpEakUwTURJd0l3WURWUjBSQkJ3dwpHb0lZYzNWd2IzSjBaUzVyYkdGMllXVmphV0V1WTI5dExtSnlNQXNHQTFVZER3UUVBd0lGb0RBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFlSERkRlcwZm0ydk90QVppTjVaQlJJRUdJZEJla1FTRGcyRmd4MnNiS05oaTJ1V20KMC93SE5BOGRaZUlpdmZUdG9YNkMwenkvT0FQb05qeG9YUGh3QWxZMXlnTGFVTXc5NXdFTU95Y1Z6ZkZQY2tDKwprRTg2ZVYwQzNzUmVnQzB2QVZUTWhFWXcxdFdrd2ZlUG9wSmxETGxKelRGc2NrKzlsUzIxQmEzYTRZK2dVVm4wCnoyVXViQjQyUEdEUFo5RDBMdU5ETGRsdkc5em5LazFSYVhoaG1PUWhacFFXMVhmVEd1dldqY1FHNGZJUExEK08KOVFGN0s3RS83TzB3aG91R0RyWHBGamlGS2lORkQ3N0NPd0poaFZ1cE04UXNjekVFNzFDMTVBWllBcGx2aDFrLwprcDlaakpycXAyWkVrZHYzb2JkMjFmamlxS2RHdXp5TFNtRDdWdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
UID: f36d9b4c-5412-4e2c-8e15-9e17367f2362
Usages:
digital signature
key encipherment
Username: system:serviceaccount:cert-manager:cert-manager
Status:
Conditions:
Last Transition Time: 2022-03-29T11:26:05Z
Message: Certificate request has been approved by cert-manager.io
Reason: cert-manager.io
Status: True
Type: Approved
Last Transition Time: 2022-03-29T11:26:05Z
Message: Waiting on certificate issuance from order default/suporte-klavaecia-com-br-tls-n4xbn-426367231: "pending"
Reason: Pending
Status: False
Type: Ready
Events: <none>
SAIDA DO COMANDO kubectl describe order
root@k3sm:/t1# kubectl describe order
Name: suporte-klavaecia-com-br-tls-n4xbn-426367231
Namespace: default
Labels: <none>
Annotations: cert-manager.io/certificate-name: suporte-klavaecia-com-br-tls
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: suporte-klavaecia-com-br-tls-27lp6
API Version: acme.cert-manager.io/v1
Kind: Order
Metadata:
Creation Timestamp: 2022-03-29T11:26:05Z
Generation: 1
Managed Fields:
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:cert-manager.io/certificate-name:
f:cert-manager.io/certificate-revision:
f:cert-manager.io/private-key-secret-name:
f:ownerReferences:
.:
k:{"uid":"23aaf16a-3b3f-40a0-9fbc-53d1dfb59eeb"}:
f:spec:
.:
f:dnsNames:
f:issuerRef:
.:
f:group:
f:kind:
f:name:
f:request:
Manager: controller
Operation: Update
Time: 2022-03-29T11:26:05Z
API Version: acme.cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:authorizations:
f:finalizeURL:
f:state:
f:url:
Manager: controller
Operation: Update
Subresource: status
Time: 2022-03-29T11:26:05Z
Owner References:
API Version: cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: CertificateRequest
Name: suporte-klavaecia-com-br-tls-n4xbn
UID: 23aaf16a-3b3f-40a0-9fbc-53d1dfb59eeb
Resource Version: 20458
UID: 4d21873c-69df-4154-a5dd-202db7540a40
Spec:
Dns Names:
suporte.klavaecia.com.br
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: suporte-klavaecia-com.br-prod
Request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2lEQ0NBWEFDQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1YNApWODNiTXRNUEI3LzVtampGU0ZwZFJkZXloYnhleFV5b2ZQNTFhUVQwWkRLSVpnZmdtT2ExZ29kb2t0Vmszd3B1CnQ0TmRiSGNjZjhvb2NzRlBFRXlWcTRSOEE2VlFHS2RrV1Y1VXR6a0N4a2YrbDhEbHFBY0M5ekNDb2g4Z0JjU2IKNm9yNGVPTS9udm9kOGlYelF6OCt5K1FNWjlCOGNhcm91WVZuNFdOa2JML2drRFluZjZJSGpoS05mQ2cvSERFdApWMEUyODEraDlucUYrbEpxYTlYMmNrVWxuMk9lOXh0amZjZjJJMytZVnhHQWozRUNpUDYwbFVUZUtEa2ZjRHNGCmFNY0htaFpEY1hBMS8xM1VBS0ZXdUFVQjNtRVFvNjJ3dXl6N0VyYlBqSEVmM2NtSU1wclNrRStiTGNpSDNwaW8KVXhpVEVpaEkwN1gyMUdKRTdnTUNBd0VBQWFCRE1FRUdDU3FHU0liM0RRRUpEakUwTURJd0l3WURWUjBSQkJ3dwpHb0lZYzNWd2IzSjBaUzVyYkdGMllXVmphV0V1WTI5dExtSnlNQXNHQTFVZER3UUVBd0lGb0RBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFlSERkRlcwZm0ydk90QVppTjVaQlJJRUdJZEJla1FTRGcyRmd4MnNiS05oaTJ1V20KMC93SE5BOGRaZUlpdmZUdG9YNkMwenkvT0FQb05qeG9YUGh3QWxZMXlnTGFVTXc5NXdFTU95Y1Z6ZkZQY2tDKwprRTg2ZVYwQzNzUmVnQzB2QVZUTWhFWXcxdFdrd2ZlUG9wSmxETGxKelRGc2NrKzlsUzIxQmEzYTRZK2dVVm4wCnoyVXViQjQyUEdEUFo5RDBMdU5ETGRsdkc5em5LazFSYVhoaG1PUWhacFFXMVhmVEd1dldqY1FHNGZJUExEK08KOVFGN0s3RS83TzB3aG91R0RyWHBGamlGS2lORkQ3N0NPd0poaFZ1cE04UXNjekVFNzFDMTVBWllBcGx2aDFrLwprcDlaakpycXAyWkVrZHYzb2JkMjFmamlxS2RHdXp5TFNtRDdWdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
Status:
Authorizations:
Challenges:
Token: JOs0RoZfu_XIKtVb2s1ZztgB3UjC8MnFL0KqQYgl8S0
Type: http-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/92630067900/5WzVPA
Token: JOs0RoZfu_XIKtVb2s1ZztgB3UjC8MnFL0KqQYgl8S0
Type: dns-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/92630067900/ppqTTA
Token: JOs0RoZfu_XIKtVb2s1ZztgB3UjC8MnFL0KqQYgl8S0
Type: tls-alpn-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/92630067900/j9F0rg
Identifier: suporte.klavaecia.com.br
Initial State: pending
URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/92630067900
Wildcard: false
Finalize URL: https://acme-v02.api.letsencrypt.org/acme/finalize/473503860/75541566130
State: pending
URL: https://acme-v02.api.letsencrypt.org/acme/order/473503860/75541566130
Events: <none>
da pra saber se pelo menos o plugin está solicitando o certificado?
@schoen
schoen
March 30, 2022, 11:50pm
5
Me parece que não o solicitou porque os três desafios continuam (até agora) no estado Pending. Pode ver isso em todos os links
https://acme-v02.api.letsencrypt.org/acme/chall-v3/92630067900/5WzVPA
https://acme-v02.api.letsencrypt.org/acme/chall-v3/92630067900/ppqTTA
https://acme-v02.api.letsencrypt.org/acme/chall-v3/92630067900/j9F0rg
Isso quer dizer que a AC nem foi avisada pelo cliente ACME que qualquer dos desafios tivesse sido respondido, e assim a AC não tentou verificar a resposta ainda.
Seria útil ter outro tipo de log além da saída que já encontrou. Aquela saída descreve tudo em termos de recursos (tal recurso existe, tal recurso existe...) mas não em termos de eventos / acontecimentos (tal programa estabeleceu uma conexão com a API da AC em tal momento, solicitou tal coisa, recebeu tal resposta...).
A coisa que você mostrou acima
I0329 19:16:49.167591 1 solver.go:87] cert-manager/acmesolver "msg"="got successful challenge request, writing key" "base_path"="/.well-known/acme-challenge" "host"="suporte.klavaecia.com.br" "path"="/.well-known/acme-challenge/JOs0RoZfu_XIKtVb2s1ZztgB3UjC8MnFL0KqQYgl8S0" "token"="JOs0RoZfu_XIKtVb2s1ZztgB3UjC8MnFL0KqQYgl8S0"
diz que até conseguiu criar o arquivo com o token de desafio, só que parece que nunca informou à AC (!).
Não conheço bem o cert-manager e Kubernetes, assim não sei por onde sugerir buscar os outros logs.
Vou criar outro tópico aqui em inglês só para ver se tenhamos alguém aqui com conhecimentos mais relevantes. Se der certo, vou traduzir a resposta aqui nesse tópico.
schoen
March 30, 2022, 11:55pm
6
Bom, acabei de criar o tópico
Fique à vontade de participar lá se se sentir confortável em inglês, ou de esperar aqui nesse tópico.
3 Likes
consegui resolver muito obrigado pela ajuda, o erro estava acontecendo por conta que estava atrás de um NAT
2 Likes
Talvez seria útil perguntar em outro fórum mais especializado nesses softwares, pelo menos para perguntar como encontrar os logs de eventos. Mas não sei se eles têm apoio disponível em português...