0

我的团队我已按照链接为 My Istio 配置证书管理器,但我仍然无法通过 Istio 入口访问该应用程序。

我的清单文件如下所示:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-cert
  namespace: testing
spec:
  secretName: test-cert
  dnsNames:
  - "example.com"
  issuerRef:
    name: test-letsencrypt
    kind: ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: test-letsencrypt
  namespace: testing
spec:
  acme:
    email: abc@example.com
    privateKeySecretRef:
      name: testing-letsencrypt-private-key
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: istio
      selector: {}

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  annotations:
    certmanager.k8s.io/acme-challenge-type: http01
    certmanager.k8s.io/cluster-issuer: test-letsencrypt
  name: test-gateway
  namespace: testing
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "example.com"
    tls:
      mode: SIMPLE
      credentialName: test-cert

谁能帮我解决我在这里缺少的东西?

来自浏览器的错误:

Secure Connection Failed

An error occurred during a connection to skydeck-test.asteria.co.in. PR_CONNECT_RESET_ERROR

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the web site owners to inform them of this problem.

Learn more…

这些日志可能会有所帮助:

  Normal   Generated  5m13s                cert-manager  Stored new private key in temporary Secret resource "test-cert-sthkc"
  Normal   Requested  5m13s                cert-manager  Created new CertificateRequest resource "test-cert-htxcr"
  Normal   Issuing    4m33s                cert-manager  The certificate has been successfully issued

samirparhi@Samirs-Mac ~ % k get certificate -n testing

NAME           READY   SECRET         AGE
test-cert   True    test-cert   19m

Note: this Namespace (testing) has Istio side car injection enabled and all the http request is working but HTTPS when I try to setup , it fails
4

1 回答 1

1

当我的证书未经受信任的第三方身份验证而是由我签名时,我遇到了同样的问题。我必须在我的浏览器中添加一个例外才能访问该站点。所以一个简单的金钱问题。

此外,我还能够将我的证书添加到客户端机器的 /etc/ssl 目录中以毫无问题地进行连接。

此外,我还能够通过使用 TLS 机密添加证书并将它们添加到我的虚拟服务配置中。你也可以试试。

例子:

TLS 秘密:

kubectl create -n istio-system secret tls my-tls-secret --key=www.example.com.key --cert=www.example.com.crt

我假设您已经拥有证书及其密钥,但如果您需要它:

证书创建:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=My Company Inc./CN=example.com' -keyout example.com.key -out example.com.crt
openssl req -out www.example.com.csr -newkey rsa:2048 -nodes -keyout www.example.com.key -subj "/CN=www.example.com/O=World Wide Example organization"
openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in www.example.com.csr -out www.example.com.crt

只是不要忘记以-subj合理的方式填写字段。据我了解,当涉及 SSL 证书时,它们是真实性的工作因素。例如,证书创建的第一行会为您的组织创建密钥和证书。未经当局批准将其添加到 Mozilla 或 Chrome 或操作系统的 ssl 数据库中。

这就是您收到“不受信任的证书”消息的原因。因此,出于这个原因,您可以简单地创建一个密钥并在受信任的第三方 dns 区域和数据库上创建您的 dns 记录,并通过支付他们的费用,您可以使用他们受信任的组织证书来验证您自己的站点。

网关:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mygateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: my-tls-secret # must be the same as secret
    hosts:
    - www.example.com

希望能帮助到你。随意分享“应用程序”的详细信息。

于 2021-04-29T10:16:19.457 回答