Nginx

cert-manager nginx-ingress SSL 連接錯誤

  • April 7, 2020

我在我的 kubernetes 集群中成功安裝了 cert-manager 和 nginx-ingress。Ingress 正在按預期工作並經過測試。通過 cert-manager 創建證書也有效。我創建了一個測試部署,但無法通過 https 訪問該服務。

部署文件如下所示:

apiVersion: apps/v1
kind: Deployment
metadata:
 name: nginx
spec:
 selector:
   matchLabels:
     app: nginx
 replicas: 1
 template:
   metadata:
     labels:
       app: nginx
   spec:
     containers:
     - name: nginx
       image: nginx
       ports:
       - containerPort: 80

服務文件如下所示:

apiVersion: v1
kind: Service
metadata:
 name: nginx
spec:
 ports:
 - port: 80
   targetPort: 80
   protocol: TCP
 selector:
   app: nginx

最後是入口定義:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
 name: example
 annotations:
   kubernetes.io/ingress.class: "nginx"
   cert-manager.io/issuer: "letsencrypt-staging"
spec:
 tls:
 - hosts:
   - example.com
   secretName: example-tls
 rules:
 - host: example.com
   http:
     paths:
     - path: /
       backend:
         serviceName: nginx
         servicePort: 80

證書未頒發,我在 cert-manager 日誌中收到以下錯誤:

cert-manager/controller/challenges "msg"="propagation check failed" "error"="failed to perform self check GET request 'http://example.com/.well-known/acme-challenge/ETLbSNl2WHi3jbkc0S8HeYuu5uwKvuQxExn9k54z7dQ': Get \"https://example.com:443/.well-known/acme-challenge/ETLbSNl2WHi3jbkc0S8HeYuu5uwKvuQxExn9k54z7dQ\": remote error: tls: handshake failure" "dnsName"="example.com" "resource_kind"="Challenge" "resource_name"="example-tls-2091549504-1001399895-2322937816" "resource_namespace"="default" "type"="http-01" 

捲曲挑戰地址:

curl -v https://example.com/.well-known/acme-challenge/ETLbSNl2WHi3jbkc0S8HeYuu5uwKvuQxExn9k54z7dQ
Trying 123.45.67.89...
* TCP_NODELAY set
* Connected to example.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
 CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure

我很困惑為什麼會這樣。有任何想法嗎?

問題是我使用的組件不兼容。刪除所有三個主要部分 - MetalLB、Nginx ingress、Cert-Manager - 並使用 Helm 重新安裝它們就可以了。為 ingress定義一個預設證書也很重要。

引用自:https://serverfault.com/questions/1010569