我有一个需要对特定API进行客户端证书身份验证的应用程序。如果我尝试通过POD或服务URL使用客户端证书进行身份验证,则可以正常工作。
一旦我尝试使用nginx入口URL进行操作,它将停止工作,并导致502错误。入口日志显示:
2020/02/11 13:07:36 [error] 7285#7285: *8030939 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://10.246.226.91:8444/openidm/info/login", host: "sample.domain.com"
2020/02/11 13:07:36 [warn] 7285#7285: *8030939 [lua] sticky.lua:134: balance(): failed to get new upstream; using upstream nil while connecting to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://10.246.226.91:8444/openidm/info/login", host: "sample.domain.com"
2020/02/11 13:07:36 [warn] 7285#7285: *8030939 [lua] balancer.lua:269: balance(): no peer was returned, balancer: sticky_balanced while connecting to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://10.246.226.91:8444/openidm/info/login", host: "sample.domain.com"
2020/02/11 13:07:36 [crit] 7285#7285: *8030939 connect() to 0.0.0.1:80 failed (22: Invalid argument) while connecting to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://0.0.0.1:80/openidm/info/login", host: "sample.domain.com"
2020/02/11 13:07:36 [warn] 7285#7285: *8030939 upstream server temporarily disabled while connecting to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://0.0.0.1:80/openidm/info/login", host: "sample.domain.com"
我尝试在Ingress级别启用客户端证书身份验证,但这会破坏其他不需要客户端证书身份验证的API。
有没有一种方法Ingress不会尝试进行证书身份验证,而是将证书传递给应用程序,以便应用程序可以处理证书身份验证。