Kubernetes TLS秘密证书到期

时间:2019-12-16 12:19:58

标签: ssl kubernetes certificate

  1. 我使用openssl创建通配符自签名证书。我将证书有效期设置为 到十年(我通过使用openssl检查证书仔细检查了有效期)
  2. 我使用以下kubectl命令,使用步骤1中准备的私钥和证书创建Kubernetes机密: kubectl create secret tls my-secret -n test --key server.key --cert server.crt
  3. 我们使用在AWS EKS上运行的nginx入口控制器版本0.25.1
  4. 我在我的服务的Kubernetes入口中提到了这个秘密
  5. 通过浏览器连接到我的服务并检查证书时,我注意到该证书是由 “ Kubernetes入口控制器伪造证书”,有效期为一年而不是十年

此证书仅用于内部流量,我们希望有效期为十年。为什么更改为一年?如何将有效期保留在原始证书中?

kubectl get secret dpaas-secret -n dpaas-prod -o yaml

apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2ekNDQXFlZ0F3SUJBZ0lRSE5tMUQwakYxSHBQYVk2cTlCR2hGekFOQmdrcWhraUc5dzBCQVFzRkFEQlEKTVJrd0Z3WURWUVFLRXhCaFkyMWxJRk5sYkdZZ1UybG5ibVZrTVJVd0V3WURWUVFMRXd4aFkyMWxJR1Y0WVcxdwpiR1V4SERBYUJnTlZCQU1URTJGamJXVWdVMlZzWmlCVGFXZHVaV1FnUTBFd0hoY05NVGt4TWpFMk1UUXhOak14CldoY05Namt4TWpFMk1ERXhOak14V2pCWk1Rc3dDUVlEVlFRR0V3SlZVekVaTUJjR0ExVUVDaE1RWVdOdFpTQlQKWld4bUlGTnBaMjVsWkRFUk1BOEdBMVVFQ3hNSVlXTnRaUzVqYjIweEhEQWFCZ05WQkFNTUV5b3VaSEJ6TG0xNQpZMjl0Y0dGdWVTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQzRjVmtaCndJY1cwS1VpTk5zQ096YjlleFREQU11SENwT3Jia2ExNmJHVHhMd2FmSmtybzF4TGVjYU8yM3p0SkpaRTZEZG8KZlB1UXAyWlpxVjJoL0VqL3ozSmZrSTRKTXdRQXQyTkd2azFwZk9YVlJNM1lUT1pWaFNxMU00Sm01ZC9BUHMvaApqZTdueUo4Y1J1aUpCMUh4SStRRFJpMllBK3Nzak12ZmdGOTUxdVBwYzR6Skppd0huK3JLR0ZUOFU3d2FueEdJCnRGRC9wQU1LaXRzUEFheW9aT2czazk4ZnloZS9ra1Z0TlNMTTdlWEZTODBwUEg2K3lEdGNlUEtMZ3N6Z3BqWFMKWGVsSGZLMHg1TXhneXIrS0dTUWFvU3Q0SVVkYWZHa05meVVYVURTMmtSRUdzVERVcC94R2NnQWo3UGhJeGdvZAovNWVqOXRUWURwNG0zWStQQWdNQkFBR2pnWXN3Z1lnd0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXCk1CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1COEdBMVVkSXdRWU1CYUEKRk5VOE90NXBtM0dqU3pPTitNSVJta3k3dVBVRU1DZ0dBMVVkRVFRaE1CK0NIU291WkhCekxuVnpMV1ZoYzNRdApNUzV0ZVdOdmJYQmhibmt1WTI5dE1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQlJITlN5MXZoWXRoeUpHRHpkCnpjSi9FR3QxbktXQkEzdFovRmtlRDhpelRiT282bmt0Sys5Rk52YmNxeGFQbzZSTWVtM2VBcEZCQkNFYnFrQncKNEZpRkMzODFRTDFuZy9JL3pGS2lmaVRlK0xwSCtkVVAxd1IzOUdOVm9mdWdNcjZHRmlNUk5BaWw4MVZWLzBEVworVWZ2dFg5ZCtLZU0wRFp4MGxqUkgvRGNubEVNN3Z3a3F5NXA2VklJNXN6Y1F4WTlGWTdZRkdMUms4SllHeXNrCjVGYW8vUFV1V1ZTaUMzRk45eWZ0Y3c1UGZ6MSt4em1PSmphS3FjQWkvcFNlSVZzZ0VTNTFZYm9JTUhLdDRxWGcKSlFqeU9renlKbFhpRzhBa2ZRMVJraS91cmlqZllqaWl6M04yUXBuK2laSFNhUmJ5OUhJcGtmOGVqc3VTb2wrcgpxZ3N4Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdUhGWkdjQ0hGdENsSWpUYkFqczIvWHNVd3dETGh3cVRxMjVHdGVteGs4UzhHbnlaCks2TmNTM25HanR0ODdTU1dST2czYUh6N2tLZG1XYWxkb2Z4SS84OXlYNUNPQ1RNRUFMZGpScjVOYVh6bDFVVE4KMkV6bVZZVXF0VE9DWnVYZndEN1A0WTN1NThpZkhFYm9pUWRSOFNQa0EwWXRtQVByTEl6TDM0QmZlZGJqNlhPTQp5U1lzQjUvcXloaFUvRk84R3A4UmlMUlEvNlFEQ29yYkR3R3NxR1RvTjVQZkg4b1h2NUpGYlRVaXpPM2x4VXZOCktUeCt2c2c3WEhqeWk0TE00S1kxMGwzcFIzeXRNZVRNWU1xL2loa2tHcUVyZUNGSFdueHBEWDhsRjFBMHRwRVIKQnJFdzFLZjhSbklBSSt6NFNNWUtIZitYby9iVTJBNmVKdDJQandJREFRQUJBb0lCQUJuWFY2SnlCUHMvVkVPTQpvRHFaelVTS1lBaEtMam5IVTVVcktDRUlrdWFmSTdPYVRXTjl5Y3FSVHk1b3RnSUxwRG9YUnR3TzFyZ1huQkZuCjEwU0Fza0dVOFBOT3IzZStmQXNWcG9VYzJIKzFEZ1pwVTJYQXNHeSs4WkxkbXFHTUIyTko2Wm95Wm94MjRVUDIKODFGdmd4MkQ1OGhGcHRHcml1RjlBSHRaNHdhUXhnNE9EckNnQUVmZU8rTlNsckEvZHB0bERFcDJYUHBVVGg5VQpKMGk2b3VGZjUwTllHZXptMTR5ZkpWMDhOdWJGYjNjWldNOUZYZXAvUDhnZTFXZXBRemJsZWtWcEQ0eGZQa1ZjCjNwam1GREszdUVuSC9qcmRKeDJUb0NjTkJqK21nemN6K1JNZUxTNVBQZ29sc0huSFVNdkg4eG51cis5MURlRXgKWVlSYUtRRUNnWUVBMkVjUjFHcTFmSC9WZEhNU3VHa2pRUXJBZ0QvbEpiL0NGUExZU2xJS0pHdmV5Vi9qbWtKNApRdUFiYWFZRDVOdmtxQ0dDd2N1YXZaU05YTnFkMGp5OHNBWmk0M0xOaCt0S1VyRDhOVlVYM2ZiR2wyQUx0MTFsCmVUM0ZRY1NVZmNreEZONW9jdEFrV3hLeG5hR2hpOHJlelpjVStRZkMxdDF5VTdsOXR0MUgrODhDZ1lFQTJsRjQKRDBnZHpKWHduQnBJM0FJSjNyMDlwalZpMXlScGgyUDRvK1U2a1cvTmE5NnRLcTg5VEg3c0ViQkpSWEVjUDdBawpSYnNHN1p4SStCQkF5cy9YdFhkOWowdXRBODc4c1hsbm5ZVTlUa21xQXRoYVBCaWh3K00wZE9LNnFhRFpueWZBCnE5Z2NoZ0ZvS3pGenBuMzVvVzllNStId2EyYWk2YW8yZnFHSFlFRUNnWUVBcVVaR3dEaWN2MHJXYUlSQVhMRjkKZEVUVUVnendickU5V0dRUndXbWdvbzBESEIyKzZGZXFCTDJlOXZ1SEJMTE9yb0U3OUM1RmVLZ3lWRUNQVWFOVQpFM21NSUhVVVJKTjE0bTYvbDRaNFhiUHVEMENQS3Y4Z2t0b3o3NXZLbFFESk40b3p1ZGtLKzNVUUswMzhRSXVTCkF0dURBTDZBVXVlVHVjL3VneGVDWmFVQ2dZQnFZUlE5YmdpSExmQ21QL0NNczdtWGZXTFM0R1NmTExEM05mRnIKKzBDRXFaUFJJaG9ER0l5bi81aU1MZmdtREMyVm93Q3BzYTU0alpUSXV6SzNJSHVkZ3ZIOXB3UlJQTVRJdmIyTgpkZVVmaHFsKzVXbGlxeVgzeTNnK0ZGU2NYekpyYVBWclJzenZSelE1Qjhtd3NPVzRrZ29PdDN0cytnQWNGOEtpCkJaZHZnUUtCZ1FDdTBSQmwrTkRIZ2RiZC9YUnN0ZmZWWUlDRnpPOFJoWUo0NGpZYWRVc3BtcW5BYUp3T3liL0EKek9FNC9RbE85MGx2WCtYbXFud3FKMzlDOVF0SDFCeTZGdVhhVCtGdVdxeWVlK3MyNEd1Rnp5b3pUVnBZNURROQpSUS9iL2NQbXZuMTZMMnlTaVY2d3N3Nk8xWGdtc2ZCZ0JHUjJsdU5PTjIwNGdnazRZWGgvZ3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
  creationTimestamp: "2019-12-16T14:31:59Z"
  name: dpaas-secret
  namespace: dpaas-prod
  resourceVersion: "134564"
  selfLink: /api/v1/namespaces/dpaas-prod/secrets/dpaas-secret
  uid: d1c692b6-2010-11ea-bce8-1247666f5179
type: kubernetes.io/tls

kubectl describe ingress ingress-test4 -n dpaas-prod

Name:             ingress-test4
Namespace:        dpaas-prod
Address:          ad6c6ea681f5d11ea91440a6af5c8987-559e0a22f4b3e398.elb.us-east-1.amazonaws.com
Default backend:  default-http-backend:80 (<none>)
TLS:
  dpaas-secret terminates
Rules:
  Host                                                 Path  Backends
  ----                                                 ----  --------
  test4.dps.mycompany.com
                                                       /   cpe-test4:80 (10.0.13.222:8080,10.0.38.178:8080)
Annotations:
  nginx.ingress.kubernetes.io/force-ssl-redirect:  false
  nginx.ingress.kubernetes.io/server-alias:        test4.dps.us-east-1.mycompany.com
  nginx.ingress.kubernetes.io/ssl-redirect:        true
Events:                                            <none>

2 个答案:

答案 0 :(得分:1)

通常,“ Kubernetes入口控制器虚假证书”表示证书本身或设置中存在问题。您可以详细了解herehereherehere

这些帖子都不会告诉您如何解决您的问题,因为原因可能非常广泛,并且取决于您的证书及其生成方式。

Here例如,据报道问题不在于证书本身,而在于他的入口:

  

我只是意识到我本身就是规则中缺少主机的人(不是   确定是否需要这样做,但是它解决了问题,现在解决了证书。   被使用的是我提供的,而不是假的Kubernetes)。   我的入侵示例:

因此,正如我在注释中所建议的那样,您检查了用于生成证书的步骤,并发现将证书公用名添加到SAN列表中并重新生成自签名证书可以解决此问题。

答案 1 :(得分:0)

谢谢沃特尼,您说“ Kubernetes入口控制器伪造的证书”表明证书本身存在问题,这使我进一步研究。我发现,将证书通用名添加到SAN列表中并重新生成自签名证书修复程序这个问题:)

相关问题
最新问题