Name: airflow-948mm-com-tls-2173481955-20486659-2561768538
Namespace: default
Labels: <none>
Annotations: <none>
API Version: acme.cert-manager.io/v1alpha2
Kind: Challenge
Metadata:
Creation Timestamp: 2019-12-24T20:07:45Z
Finalizers:
finalizer.acme.cert-manager.io
Generation: 1
Owner References:
API Version: acme.cert-manager.io/v1alpha2
Block Owner Deletion: true
Controller: true
Kind: Order
Name: airflow-948mm-com-tls-2173481955-20486659
UID: a665ac46-2685-11ea-aaac-d61171695d2f
Resource Version: 74422598
Self Link: /apis/acme.cert-manager.io/v1alpha2/namespaces/default/challenges/airflow-948mm-com-tls-2173481955-20486659-2561768538
UID: 0ccb602a-2689-11ea-aaac-d61171695d2f
Spec:
Authz URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/1908800991
Dns Name: airflow.948mm.com
Issuer Ref:
Group: cert-manager.io
Kind: Issuer
Name: letsencrypt-prod
Key: _nFHyVmTc8NbW2-BgRKTXqJBLQSUsY2g9W2TWIsBe7c.NaXKyxAOHgxOkfJFao9Lw_1H2trs_QmARJDxIX0hkU0
Solver:
http01:
Ingress:
Class: nginx
Token: _nFHyVmTc8NbW2-BgRKTXqJBLQSUsY2g9W2TWIsBe7c
Type: http-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/1908800991/lFwGiQ
Wildcard: false
Status:
Presented: true
Processing: true
Reason: Waiting for http-01 challenge propagation: failed to perform self check GET request 'http://airflow.948mm.com/.well-known/acme-challenge/_nFHyVmTc8NbW2-BgRKTXqJBLQSUsY2g9W2TWIsBe7c': Get http://airflow.948mm.com/.well-known/acme-challenge/_nFHyVmTc8NbW2-BgRKTXqJBLQSUsY2g9W2TWIsBe7c: dial tcp 39.98.140.128:80: connect: connection refused
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 8m4s cert-manager Challenge scheduled for processing
Normal Presented 8m2s cert-manager Presented challenge using http-01 challenge mechanism
解决方法是将nginx的service配置的externalTrafficPolicy的值改为Cluster。
参考
Kubernetes CluterIssuer Challenge timeouts
从service的externalTrafficPolicy到podAntiAffinity
