我已成功在我的 kubernetes 集群中安装了 cert-manager 和 nginx-ingress。Ingress 工作正常,并且经过了测试。通过 cert-manager 创建证书也正常。我创建了一个测试部署,但无法通过 https 访问该服务。
部署文件如下所示:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
selector:
matchLabels:
app: nginx
replicas: 1
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
服务文件如下所示:
apiVersion: v1
kind: Service
metadata:
name: nginx
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
app: nginx
最后是入口定义:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: example
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- example.com
secretName: example-tls
rules:
- host: example.com
http:
paths:
- path: /
backend:
serviceName: nginx
servicePort: 80
证书未颁发,并且我在证书管理器日志中收到以下错误:
cert-manager/controller/challenges "msg"="propagation check failed" "error"="failed to perform self check GET request 'http://example.com/.well-known/acme-challenge/ETLbSNl2WHi3jbkc0S8HeYuu5uwKvuQxExn9k54z7dQ': Get \"https://example.com:443/.well-known/acme-challenge/ETLbSNl2WHi3jbkc0S8HeYuu5uwKvuQxExn9k54z7dQ\": remote error: tls: handshake failure" "dnsName"="example.com" "resource_kind"="Challenge" "resource_name"="example-tls-2091549504-1001399895-2322937816" "resource_namespace"="default" "type"="http-01"
卷曲挑战的地址:
curl -v https://example.com/.well-known/acme-challenge/ETLbSNl2WHi3jbkc0S8HeYuu5uwKvuQxExn9k54z7dQ
Trying 123.45.67.89...
* TCP_NODELAY set
* Connected to example.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
我完全搞不懂为什么会发生这种情况。有什么想法吗?
答案1
问题出在我使用的组件不兼容。删除所有三个主要部分 - MetalLB、Nginx ingress、Cert-Manager - 并使用 Helm 重新安装它们就可以了。定义一个默认证书用于入口。