我有一个奇怪的案例。语境:
一开始,客户在他们的商店中使用我们的域名,URL 类似于 somestore.eu.mycompany.com
然后,客户端升级到自定义域,其他客户端没有任何问题。
我们用旧的子域删除了整个命名空间,并用该域创建了一个新的命名空间。
根域完美运行,没有 SSL 证书问题。但是,登台子域有时可以工作,有时没有 SSL 证书问题,有时会出现以下错误:
$ curl -vI https://staging.somestore.com/
* Trying 35.102.186.11:443...
* TCP_NODELAY set
* Connected to staging.somestore.com (35.102.186.11) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.eu.mycompany.com
* start date: Mar 13 09:29:46 2022 GMT
* expire date: Jun 11 09:29:45 2022 GMT
* subjectAltName does not match staging.somestore.com
* SSL: no alternative certificate subject name matches target host name 'staging.somestore.com'
查看日志我可以看到 nginx-ingress
仍在尝试获取旧证书kubectl logs -f -n ingress-nginx nginx-ingress-controller-55f88544bf-dk7ht | grep my-namespace
SSL certificate "my-namespace/tls-cert" does not contain a Common Name or Subject Alternative Name for server "somestore.eu.mycompany.com": x509: certificate is valid for somestore.com, staging.somestore.com, www.somestore.com, not somestore.eu.mycompany.com
为什么 Kubernetes 的 nginx-ingress 还在尝试获取旧证书?
最佳答案
nginx-ingress
是 ingress
命名空间中的部署名称,请执行以下操作:kubectl rollout restart -n ingress deploy/nginx-ingress
)关于ssl - Kubernetes Nginx 入口尝试获取错误的 SSL 证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/71708348/