堆栈内存溢出
  简体   繁体   English

又是一个关于 Istio 证书问题的问题

[英]Again a question on Certificate issue on Istio

 原文  2021-04-29 08:21:31       ssl/ kubernetes/ lets-encrypt/ cert-manager/ istio-gateway

问题描述

I team I have followed this link to configure cert manager in for My Istio but still I am not able to access the app through Istio ingress.我的团队我已按照链接为 My Istio 配置证书管理器,但我仍然无法通过 Istio 入口访问该应用程序。

my manifest file look like this:我的清单文件如下所示:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-cert
  namespace: testing
spec:
  secretName: test-cert
  dnsNames:
  - "example.com"
  issuerRef:
    name: test-letsencrypt
    kind: ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: test-letsencrypt
  namespace: testing
spec:
  acme:
    email: abc@example.com
    privateKeySecretRef:
      name: testing-letsencrypt-private-key
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: istio
      selector: {}

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  annotations:
    certmanager.k8s.io/acme-challenge-type: http01
    certmanager.k8s.io/cluster-issuer: test-letsencrypt
  name: test-gateway
  namespace: testing
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "example.com"
    tls:
      mode: SIMPLE
      credentialName: test-cert

Can anyone help me with what I am missing here?谁能帮我解决我在这里缺少的东西?

Error from browser:来自浏览器的错误:

Secure Connection Failed

An error occurred during a connection to skydeck-test.asteria.co.in. PR_CONNECT_RESET_ERROR

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the web site owners to inform them of this problem.

Learn more…

these are few logs may be helpful:这些日志可能会有所帮助:

  Normal   Generated  5m13s                cert-manager  Stored new private key in temporary Secret resource "test-cert-sthkc"
  Normal   Requested  5m13s                cert-manager  Created new CertificateRequest resource "test-cert-htxcr"
  Normal   Issuing    4m33s                cert-manager  The certificate has been successfully issued

samirparhi@Samirs-Mac ~ % k get certificate -n testing

NAME           READY   SECRET         AGE
test-cert   True    test-cert   19m

Note: this Namespace (testing) has Istio side car injection enabled and all the http request is working but HTTPS when I try to setup , it fails

1 个解决方案

解决方案1
 1  2021-04-29 10:16:19

I encountered the same problem when my certificate was not authenticated by a trusted third party but instead signed by me.当我的证书未经受信任的第三方身份验证而是由我签名时,我遇到了同样的问题。 I had to add an exception to my browser in order to access the site.我必须在我的浏览器中添加一个例外才能访问该站点。 So a simple money issue.所以一个简单的金钱问题。

Also I was able to add my certificate to the /etc/ssl directory of the client machine to connect without problems.此外,我还能够将我的证书添加到客户端机器的 /etc/ssl 目录中以毫无问题地进行连接。

Also I was able to add certificates by using TLS secrets and adding them to my virtual service configuration.此外,我还能够通过使用 TLS 机密添加证书并将它们添加到我的虚拟服务配置中。 You can try them too.你也可以试试。

Examples:例子:

TLS Secret: TLS 秘密:

kubectl create -n istio-system secret tls my-tls-secret --key=www.example.com.key --cert=www.example.com.crt

I assumed that you already have your certificate and its key but in case you need it:我假设您已经拥有证书及其密钥,但如果您需要它:

Certificate creation:证书创建:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=My Company Inc./CN=example.com' -keyout example.com.key -out example.com.crt
openssl req -out www.example.com.csr -newkey rsa:2048 -nodes -keyout www.example.com.key -subj "/CN=www.example.com/O=World Wide Example organization"
openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in www.example.com.csr -out www.example.com.crt

Just don't forget to fill -subj fields in a reasonable manner.只是不要忘记以合理的方式填写-subj字段。 They are the working factor of authenticity when it comes to SSL certs as I understand.据我了解,当涉及到 SSL 证书时,它们是真实性的工作因素。 For example the first line of certificate creation creates a key and certificate for your organisation.例如,证书创建的第一行会为您的组织创建密钥和证书。 Which is not approved by authorities to be added to Mozilla's or Chrome's or OS's ssl database.未经当局批准将其添加到 Mozilla 或 Chrome 或操作系统的 ssl 数据库中。

That is why you get your "Untrusted certificate" message.这就是您收到“不受信任的证书”消息的原因。 So, for that reasons you can simply create a key and create your dns records on a trusted third parties dns zone and database and by paying them, you can use their trusted organisation certificates for authenticating your own site.因此,出于这个原因,您可以简单地创建一个密钥并在受信任的第三方 dns 区域和数据库上创建您的 dns 记录,并通过支付他们的费用,您可以使用他们受信任的组织证书来验证您自己的站点。

Gateway:网关:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mygateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: my-tls-secret # must be the same as secret
    hosts:
    - www.example.com

Hope it helps.希望能帮助到你。 Feel free to share "app" details.随意分享“应用程序”的详细信息。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 OpenShift + Istio 中的 mTLS(客户端证书) - mTLS in OpenShift + Istio (client certificate) AKS Istio Ingress 网关证书无效 - AKS Istio Ingress gateway Certificate is not valid 关于SSL证书的问题 - Question about SSL Certificate Istio + Kubernetes:网关多个 TLS 证书 - Istio + Kubernetes: Gateway more than one TLS Certificate 在 GKE 的 Istio 入口网关中使用默认的 SSL 证书 - Using default SSL certificate in Istio ingress gateway in GKE SSL证书问题:“无对等证书” - Issue with SSL certificate: “No peer certificate” 解析SSL证书问题 - Parse SSL Certificate Issue LoadRunner SSL 证书问题 - LoadRunner SSL Certificate issue weblogic证书导入问题 - weblogic certificate import issue 使用SSL证书问题? - Using SSL certificate issue?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM