我已经创建了 Nginx 入口,并且在使用 HTTP 时一切正常。但是,我需要添加 MTLS(双向 TLS 身份验证),因此为了测试,我生成了自签名证书。但我试图使用负载均衡器 URL 作为域来生成证书。但是 OpenSSL 会因为 URL 中的长名称而抱怨。所以我试图创建通配符证书。但我收到以下错误。你能帮我测试入口吗。
* TCP_NODELAY set
* Connected to a3a1181.amazonaws.com port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: 2_intermediate/certs/ca-chain.cert.pem
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: minimal-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: "default/my-certs"
#nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
#nginx.ingress.kubernetes.io/auth-tls-secret: "default/tls-secret"
spec:
tls:
- hosts:
- "*.elb.us-east-1.amazonaws.com"
secretName: my-certs
rules:
- host: "*.elb.us-east-1.amazonaws.com"
http:
paths:
- path: /apple
pathType: Prefix
backend:
serviceName: apple-service
servicePort: 5678
- path: /banana
backend:
serviceName: banana-service
servicePort: 5678