k8s Ingress 不使用 TLS 證書

Question

我無法讓我的 Ingress 使用我的 TLS 證書。 我使用 openssl 為主機名 myapp.com 創建了一個自簽名 TLS 證書，並將 myapp.com 添加到 /etc/hosts。

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365

我已驗證 Ingress 正在使用 TLS 證書

$ kubectl describe ingress myapp-ingress
Name:             myapp-ingress
Labels:           app=myapp
                  name=myapp-ingress
Namespace:        default
Address:          $PUBLIC_IP
Ingress Class:    nginx-ingress-class
Default backend:  <default>
TLS:
  nginx-ingress-tls terminates myapp.com
Rules:
  Host        Path  Backends
  ----        ----  --------
  myapp.com
              /   myapp-service:8080 (10.244.0.14:80)
Annotations:  <none>
Events:
  Type    Reason  Age                 From                      Message
  ----    ------  ----                ----                      -------
  Normal  Sync    19m (x11 over 21h)  nginx-ingress-controller  Scheduled for sync

但是，當我 curl myapp.com 時，我收到一條錯誤消息，通知我沒有主題名稱與目標主機“myapp.com”匹配。

$ curl -I https://myapp.com
curl: (60) SSL: no alternative certificate subject name matches target host name 'myapp.com'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

我確保將 openssl myapp.com 作為 FQDN。 我不確定為什么它不起作用。 任何幫助表示贊賞。

編輯：

我正在查看入口控制器的日志。 我看到以下錯誤消息

$ kubectl logs -n nginx-ingress ingress-nginx-controller-7c45d9ff9f-2hcd7 | grep cert
I0618 20:43:32.096653       7 main.go:104] "SSL fake certificate created" file="/etc/ingress-controller/ssl/default-fake-certificate.pem"
I0618 20:43:32.116162       7 ssl.go:531] "loading tls certificate" path="/usr/local/certificates/cert" key="/usr/local/certificates/key"
W0618 20:43:33.246716       7 backend_ssl.go:45] Error obtaining X.509 certificate: unexpected error creating SSL Cert: certificate and private key does not have a matching public key: tls: failed to parse private key
I0618 20:43:33.340807       7 nginx.go:319] "Starting validation webhook" address=":8443" certPath="/usr/local/certificates/cert" keyPath="/usr/local/certificates/key"
W0618 20:43:33.342061       7 controller.go:1334] Error getting SSL certificate "default/nginx-ingress-tls": local SSL certificate default/nginx-ingress-tls was not found. Using default certificate
W0618 20:43:37.149824       7 controller.go:1334] Error getting SSL certificate "default/nginx-ingress-tls": local SSL certificate default/nginx-ingress-tls was not found. Using default certificate
W0618 20:43:41.152972       7 controller.go:1334] Error getting SSL certificate "default/nginx-ingress-tls": local SSL certificate default/nginx-ingress-tls was not found. Using default certificate

Answer 1

當您使用未由已安裝 CA 證書存儲中的受信任證書簽名的證書時，您將收到錯誤消息：

failed to verify the legitimacy of the server and therefore could not establish a secure connection to it

作為一種解決方法，您可以使用以下命令禁用嚴格證書檢查：

curl -k https://myapp.com

您可以在此鏈接中找到有關它的更多詳細信息。