cert-manager nginx-ingress SSL 连接错误

tag-icon tag-icon nginx ssl kubernetes ingress
cert-manager nginx-ingress SSL 连接错误

我已成功在我的 kubernetes 集群中安装了 cert-manager 和 nginx-ingress。Ingress 工作正常,并且经过了测试。通过 cert-manager 创建证书也正常。我创建了一个测试部署,但无法通过 https 访问该服务。

部署文件如下所示:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 1
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80

服务文件如下所示:

apiVersion: v1
kind: Service
metadata:
  name: nginx
spec:
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP
  selector:
    app: nginx

最后是入口定义:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: example
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/issuer: "letsencrypt-staging"
spec:
  tls:
  - hosts:
    - example.com
    secretName: example-tls
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: nginx
          servicePort: 80

证书未颁发,并且我在证书管理器日志中收到以下错误:

cert-manager/controller/challenges "msg"="propagation check failed" "error"="failed to perform self check GET request 'http://example.com/.well-known/acme-challenge/ETLbSNl2WHi3jbkc0S8HeYuu5uwKvuQxExn9k54z7dQ': Get \"https://example.com:443/.well-known/acme-challenge/ETLbSNl2WHi3jbkc0S8HeYuu5uwKvuQxExn9k54z7dQ\": remote error: tls: handshake failure" "dnsName"="example.com" "resource_kind"="Challenge" "resource_name"="example-tls-2091549504-1001399895-2322937816" "resource_namespace"="default" "type"="http-01"

卷曲挑战的地址:

curl -v https://example.com/.well-known/acme-challenge/ETLbSNl2WHi3jbkc0S8HeYuu5uwKvuQxExn9k54z7dQ
Trying 123.45.67.89...
* TCP_NODELAY set
* Connected to example.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure

我完全搞不懂为什么会发生这种情况。有什么想法吗?

答案1

问题出在我使用的组件不兼容。删除所有三个主要部分 - MetalLB、Nginx ingress、Cert-Manager - 并使用 Helm 重新安装它们就可以了。定义一个默认证书用于入口。

相关内容