Azure 应用服务证书 ssl 到 AKS 入口
[英]Azure App Service Certificate ssl to AKS ingress
问题描述
I have bought a WildCard ssl certificate from Azure App Service Certificate.
我已经从 Azure App Service Certificate 购买了 WildCard ssl 证书。 I also have an AKS Cluster.我还有一个 AKS 集群。 I want to put it in the secret and use in ingress.我想把它放在秘密中并在入口中使用。 After purchase it stored secret file in Azure Key Vault.购买后,它在 Azure Key Vault 中存储了秘密文件。 I downloaded it and then imported to create Azure Key Vault Certificate.我下载它然后导入以创建 Azure Key Vault 证书。 Then with akv2k8s I created a secret file in my AKS and used it in ingress.然后使用 akv2k8s 我在我的 AKS 中创建了一个秘密文件并在入口中使用它。 After my application threw 'err_cert_authority_invalid' error.在我的应用程序抛出“err_cert_authority_invalid”错误之后。 Do I do anything wrong??我做错什么了吗?? There is not so many documentation on ssl and ingress. ssl 和 ingress 上没有那么多文档。 In many articles, they use 'Lets Encrypt' or 'Cert Manager'.在许多文章中,他们使用“Lets Encrypt”或“Cert Manager”。
https://akv2k8s.io/ https://akv2k8s.io/
1 个解决方案
解决方案1
2 2022-03-08 09:27:19
• It can be due to the misinterpretation that the certificate is issued by the staging environment or vice versa. • 可能是由于误认为证书是由暂存环境颁发的,反之亦然。 Thus, for that purpose, I would suggest you to please check the 'stable/wordpress' helm chart with the ingress annotation 'certmanager.k8s.io/cluster-issuer': 'letsencrypt-staging' .因此,为此,我建议您检查带有入口注释'certmanager.k8s.io/cluster-issuer': 'letsencrypt-staging'的'stable/wordpress' helm chart。 This will result in being issued a certificate from the fake issuer.这将导致从假发行人那里获得证书。 Thus, even if your certificate is ingressed in your AKS as a secret, it will be shown as being issued from a fake issuer since the chain of certificate hash validation is broken in between.因此,即使您的证书作为秘密进入您的 AKS,它也会显示为由虚假颁发者颁发,因为证书链 hash 验证在两者之间被打破。 Please find below the curl for that purpose: -为此,请在下方找到 curl:-
‘ # curl -vkI https://blog.my-domain.com/
...
* Server certificate:
* subject: CN=blog.my-domain.com
* start date: May 13 08:51:13 2019 GMT
* expire date: Aug 11 08:51:13 2019 GMT
* issuer: CN=Fake LE Intermediate X1
... ‘
Then, list the ingresses as follows: -然后,列出入口如下:-
‘ # kubectl get ing
NAME HOSTS ADDRESS PORTS AGE
blog-wordpress blog.my-domain.com 35.200.214.186 80, 443 8m48s ’
and the certificates too: -还有证书:-
‘ # kubectl get certificates
NAME READY SECRET AGE
wordpress.local-tls True wordpress.local-tls 9m ’
Then, switch the issuer of the certificate to the one that has issued the certificate originally as below: -然后,将证书的颁发者切换为最初颁发证书的颁发者,如下所示:-
‘ # kubectl edit ing blog-wordpress ’
And update the annotation as below: -并更新注释如下:-
‘ certmanager.k8s.io/cluster-issuer: letsencrypt-prod ’
Once the ingress manifest is updated, then the certificate manifest will automatically be updated.更新入口清单后,证书清单将自动更新。 To verify it, open the manifest for 'wordpress.local-tls' certificate resource as below: -要验证它,请打开“wordpress.local-tls”证书资源的清单,如下所示:-
‘ kubectl edit certificate wordpress.local-tls ’
The issuer will be seen as updated as below: -发行人将被视为更新如下:-
‘ kubectl edit certificate wordpress.local-tls ’
Thus, in this way, you will be able to import a certificate secret in AKS.因此,通过这种方式,您将能够在 AKS 中导入证书机密。 For more details, I would suggest you to please refer the below link for more details: -有关更多详细信息,我建议您参考以下链接了解更多详细信息:-
https://github.com/vmware-archive/kube-prod-runtime/issues/532 https://github.com/vmware-archive/kube-prod-runtime/issues/532
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.