![K8s:nginx-ingress:SSL_do_handshake()失败(SSL:错误:191CF08C:SSL 例程:tls_parse_ctos_key_share:坏密钥共享)](https://linux22.com/image/784141/K8s%EF%BC%9Anginx-ingress%EF%BC%9ASSL_do_handshake%EF%BC%88%EF%BC%89%E5%A4%B1%E8%B4%A5%EF%BC%88SSL%EF%BC%9A%E9%94%99%E8%AF%AF%EF%BC%9A191CF08C%EF%BC%9ASSL%20%E4%BE%8B%E7%A8%8B%EF%BC%9Atls_parse_ctos_key_share%EF%BC%9A%E5%9D%8F%E5%AF%86%E9%92%A5%E5%85%B1%E4%BA%AB%EF%BC%89.png)
我们发现 nginx ingress 和 cert-manager 已经过时,不再与 Kubernetes 1.22 版本兼容。我升级了两个组件:nginx-ingress 从 0.26.1 升级到 1.5.1。将 cert-manager 从 0.12.0 升级到 1.5。
这会导致 cert-manager pod 运行
kubectl get pods -n cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-dfp85b9bd-ptk9l 1/1 Running 0 26h
cert-manager-cainjector-3d65bcdcfd-fktsz 1/1 Running 0 26h
cert-manager-webhook-c596f8c6c-8cx4x 1/1 Running 0 26h
和
Kubectl get certificates -n default
NAME READY SECRET AGE
alertmanager-tls False alertmanager-tls 1y12d
prometheus-tls False prometheus-tls 1y19d
并且 cmctl check api -n cert-manager 返回:cert-manager API 已准备就绪
清理孤立的秘密这将删除证书管理器自动创建的自签名 CA 证书。重新启动后,日志看起来基本干净。
错误仍然存在:
cert-manager-cainjector: cert-manager/secret-for-certificate-mapper "msg"="unable to fetch certificate that owns the secret" "error"="Certificate.cert-manager.io "grafana-tls" not found"
nginx-ingress: SSL_do_handshake() failed (SSL: error:191CF08C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client