我的团队我已经按照这个链接为我的Istio配置了证书管理器,但我仍然无法通过Istio入口访问该应用程序。
我的清单文件如下:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: test-cert
namespace: testing
spec:
secretName: test-cert
dnsNames:
- "example.com"
issuerRef:
name: test-letsencrypt
kind: ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: test-letsencrypt
namespace: testing
spec:
acme:
email: abc@example.com
privateKeySecretRef:
name: testing-letsencrypt-private-key
server: https://acme-staging-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: istio
selector: {}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
annotations:
certmanager.k8s.io/acme-challenge-type: http01
certmanager.k8s.io/cluster-issuer: test-letsencrypt
name: test-gateway
namespace: testing
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "example.com"
tls:
mode: SIMPLE
credentialName: test-cert
有人能帮我解决我在这里缺少的东西吗?
浏览器错误:
Secure Connection Failed
An error occurred during a connection to skydeck-test.asteria.co.in. PR_CONNECT_RESET_ERROR
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.
Learn more…
以下几条日志可能会有所帮助:
Normal Generated 5m13s cert-manager Stored new private key in temporary Secret resource "test-cert-sthkc"
Normal Requested 5m13s cert-manager Created new CertificateRequest resource "test-cert-htxcr"
Normal Issuing 4m33s cert-manager The certificate has been successfully issued
samirparhi@Samirs-Mac ~ % k get certificate -n testing
NAME READY SECRET AGE
test-cert True test-cert 19m
Note: this Namespace (testing) has Istio side car injection enabled and all the http request is working but HTTPS when I try to setup , it fails
当我的证书没有经过可信的第三方验证,而是由我签名时,我遇到了同样的问题。我必须在浏览器中添加一个异常才能访问该网站。所以这是一个简单的资金问题。
此外,我还可以将我的证书添加到客户端机器的/etc/ssl目录中进行连接,而不会出现问题。
此外,我还可以通过使用TLS机密添加证书,并将它们添加到我的虚拟服务配置中。你也可以试试。
示例:
TLS机密:
kubectl create -n istio-system secret tls my-tls-secret --key=www.example.com.key --cert=www.example.com.crt
我假设你已经有了证书和密钥,但如果你需要它:
证书创建:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=My Company Inc./CN=example.com' -keyout example.com.key -out example.com.crt
openssl req -out www.example.com.csr -newkey rsa:2048 -nodes -keyout www.example.com.key -subj "/CN=www.example.com/O=World Wide Example organization"
openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in www.example.com.csr -out www.example.com.crt
只是不要忘记以合理的方式填充-subj字段。据我所知,当涉及到SSL证书时,它们是真实性的工作因素。例如,证书创建的第一行为您的组织创建密钥和证书。未经当局批准添加到Mozilla、Chrome或OS的ssl数据库中。
这就是为什么你得到你的";不可信证书";消息因此,出于这个原因,你可以简单地创建一个密钥,并在可信的第三方dns区域和数据库上创建你的dns记录,通过向他们付款,你可以使用他们的可信组织证书来验证你自己的网站。
网关:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mygateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: my-tls-secret # must be the same as secret
hosts:
- www.example.com
希望能有所帮助。请随意分享";应用程序";详细信息。