0

我有一个应用程序需要对特定 API 进行客户端证书身份验证。如果我尝试使用 POD 或服务 URL 使用客户端证书进行身份验证,它工作正常。

一旦我尝试使用 nginx 入口 URL 执行此操作,它就会停止工作,导致 502 错误。入口日志显示:

2020/02/11 13:07:36 [error] 7285#7285: *8030939 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://10.246.226.91:8444/openidm/info/login", host: "sample.domain.com"
2020/02/11 13:07:36 [warn] 7285#7285: *8030939 [lua] sticky.lua:134: balance(): failed to get new upstream; using upstream nil while connecting to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://10.246.226.91:8444/openidm/info/login", host: "sample.domain.com"
2020/02/11 13:07:36 [warn] 7285#7285: *8030939 [lua] balancer.lua:269: balance(): no peer was returned, balancer: sticky_balanced while connecting to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://10.246.226.91:8444/openidm/info/login", host: "sample.domain.com"
2020/02/11 13:07:36 [crit] 7285#7285: *8030939 connect() to 0.0.0.1:80 failed (22: Invalid argument) while connecting to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://0.0.0.1:80/openidm/info/login", host: "sample.domain.com"
2020/02/11 13:07:36 [warn] 7285#7285: *8030939 upstream server temporarily disabled while connecting to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://0.0.0.1:80/openidm/info/login", host: "sample.domain.com"

我尝试在入口级别启用客户端证书身份验证,但这会破坏不需要客户端证书身份验证的其他 API。

有没有办法让 Ingress 不尝试进行证书身份验证,而是将证书传递给应用程序,以便应用程序可以处理证书身份验证。

4

0 回答 0