我已经使用Nginx Ingress一段时间了,最近我尝试从Pod中访问HTTPS站点时遇到错误。
错误始终相同:
E1022 17:33:58.843638 1 controller.go:131] cert-manager/controller/orders "msg"="re-queuing item due to error processing" "error"="error creating new order: Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate is valid for ingress.local, not acme-v02.api.letsencrypt.org" "key"="gitlab/git-cert-1197334735-497646583"
同样,我的gitlab运行程序由于图像拉出错误而失败,这是相同的
Step 1/8 : FROM node:12.9
Get https://registry-1.docker.io/v2/: x509: certificate is valid for ingress.local, not registry-1.docker.io
ERROR: Job failed: command terminated with exit code 1
我已经从Ingress官方页面安装了Ingress,并且我的Ingress资源如下
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: resources-ingress
namespace: gitlab
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: le-clusterissuer
spec:
tls:
- hosts:
- git.terrainserver.com
secretName: git-cert-secret
- hosts:
- registry.terrainserver.com
secretName: registry-cert-secret
- hosts:
- www.terrainserver.com
secretName: pts-server-cert-secret
rules:
- host: git.terrainserver.com
http:
paths:
- path: /
backend:
serviceName: gitlab
servicePort: 80
- host: registry.terrainserver.com
http:
paths:
- path: /
backend:
serviceName: registry
servicePort: 5000
- host: www.terrainserver.com
http:
paths:
- path: /
backend:
serviceName: pts-server
servicePort: 5000
最重要的是:问题与证书管理器无关,而不是与来自kubernetes容器的安全URL建立连接的问题
我正在使用证书管理器来管理来自let加密的证书。问题是,从kubernetes群集传出的连接无法验证远程主机证书。我了解的是Nginx正在替换其自己的证书,该证书是从远程主机即docker或letencrypt传入的。因此已建立到docker.io的连接,但传入证书是本地nginx证书。也许Ingress正在拦截和替换来自docker.io或letencrypt站点的远程证书?
最后我已经解决了这个问题。该错误位于DNS记录中。我已经在dns中激活了通配符路由。我没有单独输入子域,但是将* .terrainserver.com解锁为我的IP地址。这把事情搞砸了,并在上面给出了错误。
解决方案是删除通配符DNS路由并单独定义您的子域。