Nginx入口上的默认证书 [英] Default certificate on Nginx-ingress
问题描述
我想在Nginx入口上禁用SNI.如果使用了如下所示的使用openssl的呼叫:
I want to disable SNI on the nginx-ingress. If a call using openssl like below is used:
openssl s_client -showcerts -connect ***********.gr:443
然后,我希望nginx-ingress仅使用我配置的证书,而不要使用fake-k8s-cert.
Then I want nginx-ingress to use only the certificate that I have configured and not the fake-k8s-cert.
如果浏览Web应用程序,该证书有效,但我还需要设置默认证书.
The certificate is working if a browse the web app but I need also to set the default certificate.
下面是一个示例:
[root@production ~]# openssl s_client -showcerts -connect 3dsecureuat.torawallet.gr:443
CONNECTED(00000003)
depth=0 O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/O=Acme Co/CN=Kubernetes Ingress Controller Fake Certificate
i:/O=Acme Co/CN=Kubernetes Ingress Controller Fake Certificate
-----BEGIN CERTIFICATE-----
---
Server certificate
subject=/O=Acme Co/CN=Kubernetes Ingress Controller Fake Certificate
issuer=/O=Acme Co/CN=Kubernetes Ingress Controller Fake Certificate
---
Acceptable client certificate CA names
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
...
我还配置了入口以在所有主机名上使用秘密,而不指定主机: tls: -secretName:****** wte-ingress
I have also configured ingress to use the secret on all hostnames without specifying host: tls: - secretName: ******wte-ingress
推荐答案
Default SSL Certificate flag solved the issue as OP mentioned.
在Nginx文档中,您可以阅读:
In Nginx documentation you can read:
NXINX Ingress控制器提供标志
--default-ssl-certificate
.此标志引用的机密包含访问全部捕获服务器时要使用的默认证书.如果未提供此标志,NGINX将使用自签名证书.
NXINX Ingress controller provides the flag
--default-ssl-certificate
. The secret referred to by this flag contains the default certificate to be used when accessing the catch-all server. If this flag is not provided NGINX will use a self-signed certificate.
例如,如果默认名称空间中包含TLS秘密foo-tls,则在nginx-controller部署中添加--default-ssl-certificate = default/foo-tls.
For instance, if you have a TLS secret foo-tls in the default namespace, add --default-ssl-certificate=default/foo-tls in the nginx-controller deployment.
默认证书也将用于入口tls:没有secretName选项的部分.
The default certificate will also be used for ingress tls: sections that do not have a secretName option.
这篇关于Nginx入口上的默认证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!