[英]k8s Ingress not using TLS cert
I can't get my Ingress to use my TLS cert.我无法让我的 Ingress 使用我的 TLS 证书。 I have created a self signed TLS cert using openssl for hostname myapp.com and added myapp.com to /etc/hosts.
我使用 openssl 为主机名 myapp.com 创建了一个自签名 TLS 证书,并将 myapp.com 添加到 /etc/hosts。
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365
I have verified the Ingress is using the TLS cert我已验证 Ingress 正在使用 TLS 证书
$ kubectl describe ingress myapp-ingress
Name: myapp-ingress
Labels: app=myapp
name=myapp-ingress
Namespace: default
Address: $PUBLIC_IP
Ingress Class: nginx-ingress-class
Default backend: <default>
TLS:
nginx-ingress-tls terminates myapp.com
Rules:
Host Path Backends
---- ---- --------
myapp.com
/ myapp-service:8080 (10.244.0.14:80)
Annotations: <none>
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 19m (x11 over 21h) nginx-ingress-controller Scheduled for sync
however, when I curl myapp.com, I get an error message informing me no subject name matches target host 'myapp.com'.但是,当我 curl myapp.com 时,我收到一条错误消息,通知我没有主题名称与目标主机“myapp.com”匹配。
$ curl -I https://myapp.com
curl: (60) SSL: no alternative certificate subject name matches target host name 'myapp.com'
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I made sure to give openssl myapp.com as the FQDN.我确保将 openssl myapp.com 作为 FQDN。 I'm not sure why it isn't working.
我不确定为什么它不起作用。 Any help is appreciated.
任何帮助表示赞赏。
Edit:编辑:
I'm looking at the logs of the ingress controller.我正在查看入口控制器的日志。 I see the following error messages
我看到以下错误消息
$ kubectl logs -n nginx-ingress ingress-nginx-controller-7c45d9ff9f-2hcd7 | grep cert
I0618 20:43:32.096653 7 main.go:104] "SSL fake certificate created" file="/etc/ingress-controller/ssl/default-fake-certificate.pem"
I0618 20:43:32.116162 7 ssl.go:531] "loading tls certificate" path="/usr/local/certificates/cert" key="/usr/local/certificates/key"
W0618 20:43:33.246716 7 backend_ssl.go:45] Error obtaining X.509 certificate: unexpected error creating SSL Cert: certificate and private key does not have a matching public key: tls: failed to parse private key
I0618 20:43:33.340807 7 nginx.go:319] "Starting validation webhook" address=":8443" certPath="/usr/local/certificates/cert" keyPath="/usr/local/certificates/key"
W0618 20:43:33.342061 7 controller.go:1334] Error getting SSL certificate "default/nginx-ingress-tls": local SSL certificate default/nginx-ingress-tls was not found. Using default certificate
W0618 20:43:37.149824 7 controller.go:1334] Error getting SSL certificate "default/nginx-ingress-tls": local SSL certificate default/nginx-ingress-tls was not found. Using default certificate
W0618 20:43:41.152972 7 controller.go:1334] Error getting SSL certificate "default/nginx-ingress-tls": local SSL certificate default/nginx-ingress-tls was not found. Using default certificate
When you are using a cert that is not signed by trusted certificates in the installed CA certificate store, you will get the error message:当您使用未由已安装 CA 证书存储中的受信任证书签名的证书时,您将收到错误消息:
failed to verify the legitimacy of the server and therefore could not establish a secure connection to it
As a workaround, you can disable the strict certificate checking it with the following command:作为一种解决方法,您可以使用以下命令禁用严格证书检查:
curl -k https://myapp.com
You can find more details about it in this link .您可以在此链接中找到有关它的更多详细信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.