Nginx
cert-manager nginx-ingress SSL 連接錯誤
我在我的 kubernetes 集群中成功安裝了 cert-manager 和 nginx-ingress。Ingress 正在按預期工作並經過測試。通過 cert-manager 創建證書也有效。我創建了一個測試部署,但無法通過 https 訪問該服務。
部署文件如下所示:
apiVersion: apps/v1 kind: Deployment metadata: name: nginx spec: selector: matchLabels: app: nginx replicas: 1 template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx ports: - containerPort: 80
服務文件如下所示:
apiVersion: v1 kind: Service metadata: name: nginx spec: ports: - port: 80 targetPort: 80 protocol: TCP selector: app: nginx
最後是入口定義:
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: example annotations: kubernetes.io/ingress.class: "nginx" cert-manager.io/issuer: "letsencrypt-staging" spec: tls: - hosts: - example.com secretName: example-tls rules: - host: example.com http: paths: - path: / backend: serviceName: nginx servicePort: 80
證書未頒發,我在 cert-manager 日誌中收到以下錯誤:
cert-manager/controller/challenges "msg"="propagation check failed" "error"="failed to perform self check GET request 'http://example.com/.well-known/acme-challenge/ETLbSNl2WHi3jbkc0S8HeYuu5uwKvuQxExn9k54z7dQ': Get \"https://example.com:443/.well-known/acme-challenge/ETLbSNl2WHi3jbkc0S8HeYuu5uwKvuQxExn9k54z7dQ\": remote error: tls: handshake failure" "dnsName"="example.com" "resource_kind"="Challenge" "resource_name"="example-tls-2091549504-1001399895-2322937816" "resource_namespace"="default" "type"="http-01"
捲曲挑戰地址:
curl -v https://example.com/.well-known/acme-challenge/ETLbSNl2WHi3jbkc0S8HeYuu5uwKvuQxExn9k54z7dQ Trying 123.45.67.89... * TCP_NODELAY set * Connected to example.com (127.0.0.1) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS alert, Server hello (2): * error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure * stopped the pause stream! * Closing connection 0 curl: (35) error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
我很困惑為什麼會這樣。有任何想法嗎?
問題是我使用的組件不兼容。刪除所有三個主要部分 - MetalLB、Nginx ingress、Cert-Manager - 並使用 Helm 重新安裝它們就可以了。為 ingress定義一個預設證書也很重要。