stackoom
  简体   繁体   中英

Again a question on Certificate issue on Istio

 原文  2021-04-29 08:21:31       ssl/ kubernetes/ lets-encrypt/ cert-manager/ istio-gateway

Question

I team I have followed this link to configure cert manager in for My Istio but still I am not able to access the app through Istio ingress.

my manifest file look like this:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-cert
  namespace: testing
spec:
  secretName: test-cert
  dnsNames:
  - "example.com"
  issuerRef:
    name: test-letsencrypt
    kind: ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: test-letsencrypt
  namespace: testing
spec:
  acme:
    email: abc@example.com
    privateKeySecretRef:
      name: testing-letsencrypt-private-key
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: istio
      selector: {}

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  annotations:
    certmanager.k8s.io/acme-challenge-type: http01
    certmanager.k8s.io/cluster-issuer: test-letsencrypt
  name: test-gateway
  namespace: testing
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "example.com"
    tls:
      mode: SIMPLE
      credentialName: test-cert

Can anyone help me with what I am missing here?

Error from browser:

Secure Connection Failed

An error occurred during a connection to skydeck-test.asteria.co.in. PR_CONNECT_RESET_ERROR

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the web site owners to inform them of this problem.

Learn more…

these are few logs may be helpful:

  Normal   Generated  5m13s                cert-manager  Stored new private key in temporary Secret resource "test-cert-sthkc"
  Normal   Requested  5m13s                cert-manager  Created new CertificateRequest resource "test-cert-htxcr"
  Normal   Issuing    4m33s                cert-manager  The certificate has been successfully issued

samirparhi@Samirs-Mac ~ % k get certificate -n testing

NAME           READY   SECRET         AGE
test-cert   True    test-cert   19m

Note: this Namespace (testing) has Istio side car injection enabled and all the http request is working but HTTPS when I try to setup , it fails

1 answers

solution1
 1  2021-04-29 10:16:19

I encountered the same problem when my certificate was not authenticated by a trusted third party but instead signed by me. I had to add an exception to my browser in order to access the site. So a simple money issue.

Also I was able to add my certificate to the /etc/ssl directory of the client machine to connect without problems.

Also I was able to add certificates by using TLS secrets and adding them to my virtual service configuration. You can try them too.

Examples:

TLS Secret: 

kubectl create -n istio-system secret tls my-tls-secret --key=www.example.com.key --cert=www.example.com.crt

I assumed that you already have your certificate and its key but in case you need it:

Certificate creation:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=My Company Inc./CN=example.com' -keyout example.com.key -out example.com.crt
openssl req -out www.example.com.csr -newkey rsa:2048 -nodes -keyout www.example.com.key -subj "/CN=www.example.com/O=World Wide Example organization"
openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in www.example.com.csr -out www.example.com.crt

Just don't forget to fill -subj fields in a reasonable manner. They are the working factor of authenticity when it comes to SSL certs as I understand. For example the first line of certificate creation creates a key and certificate for your organisation. Which is not approved by authorities to be added to Mozilla's or Chrome's or OS's ssl database.

That is why you get your "Untrusted certificate" message. So, for that reasons you can simply create a key and create your dns records on a trusted third parties dns zone and database and by paying them, you can use their trusted organisation certificates for authenticating your own site.

Gateway:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mygateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: my-tls-secret # must be the same as secret
    hosts:
    - www.example.com

Hope it helps. Feel free to share "app" details.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question mTLS in OpenShift + Istio (client certificate) AKS Istio Ingress gateway Certificate is not valid Question about SSL Certificate Istio + Kubernetes: Gateway more than one TLS Certificate Using default SSL certificate in Istio ingress gateway in GKE Issue with SSL certificate: “No peer certificate” Parse SSL Certificate Issue LoadRunner SSL Certificate issue weblogic certificate import issue Using SSL certificate issue?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM