openssl授予Kubernetes入口控制器伪造证书 [英] openssl giving Kubernetes Ingress Controller Fake Certificate

问题描述

我已经配置了ssl证书，如果我访问https://<domain>.com，我看到我的证书已成功配置，但是当我尝试通过以下命令检查证书时

I have configured ssl certificate, if I visit https://<domain>.com, I see that my certificate is configured successfully but when I try to check certificate by following command

openssl s_client -connect <domain>.com:443 | openssl x509 -noout -subject -issuer

我得到Kubernetes Ingress Controller Fake Certificate

我的ingres配置是:

My ingres config is :

  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
    nginx.ingress.kubernetes.io/from-to-www-redirect: 'true'
  name: nginx-echo
spec:
  tls:
    - hosts:
      - domain.com
      secretName: domain.com
  rules:
    - host: domain.com
      http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
                name: website-lorem
                port:
                    number: 80

with命令给出相同的伪证书: openssl s_client -connect <domain>.com:443 -servername <domain> | openssl x509 -noout -subject -issuer

with command gives the same fake certificate: openssl s_client -connect <domain>.com:443 -servername <domain> | openssl x509 -noout -subject -issuer

日志:

 6 flags.go:205] Watching for Ingress class: nginx
W1029 22:02:36.331841       6 flags.go:210] Ingresses with an empty class will also be processed by this Ingress controllernginx
W1029 22:02:36.332409       6 flags.go:252] SSL certificate chain completion is disabled (--enable-ssl-chain-completion=false)
W1029 22:02:36.332525       6 client_config.go:552] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I1029 22:02:36.332855       6 main.go:231] Creating API client for https://<ip>:443
I1029 22:02:36.342532       6 main.go:275] Running in Kubernetes cluster version v1.19 (v1.19.2) - git (clean) commit f57430*** - platform linux/amd64
I1029 22:02:36.470142       6 main.go:105] SSL fake certificate created /etc/ingress-controller/ssl/default-fake-certificate.pem
I1029 22:02:36.472357       6 main.go:113] Enabling new Ingress features available since Kubernetes v1.18
W1029 22:02:36.476751       6 main.go:125] No IngressClass resource with name nginx found. Only annotation will be used.
I1029 22:02:36.485119       6 ssl.go:528] loading tls certificate from certificate path /usr/local/certificates/cert and key path /usr/local/certificates/key
I1029 22:02:36.544518       6 nginx.go:263] Starting NGINX Ingress controller

推荐答案

问题是那个

1. -不是default-ssl-certificate标志
2. 未设置中间证书

现在可以正常工作了.

https://github.com/kubernetes/ingress-nginx/issues/6398

这篇关于openssl授予Kubernetes入口控制器伪造证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！