Knative 和证书管理器 - SSL_ERROR_SYSCALL
Knative & cert-manager - SSL_ERROR_SYSCALL
kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.0", GitCommit:"cb303e613a121a29364f75cc67d3d580833a7479", GitTreeState:"clean", BuildDate:"2021-04-08T21:16:14Z", GoVersion:"go1.16.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.1", GitCommit:"5e58841cce77d4bc13713ad2b91fa0d961e69192", GitTreeState:"clean", BuildDate:"2021-05-12T14:12:29Z", GoVersion:"go1.16.4", Compiler:"gc", Platform:"linux/amd64"}
运行 在 Ubuntu 20.04
已安装:
https://knative.dev/docs/install/install-serving-with-yaml/
尝试了所有网络层 - 这个是 运行 kourier 和 cert-manager
我安装了“networking-ns-cert”并使用 DNS01 - 基本上如下:
https://knative.dev/docs/install/install-serving-with-yaml/
我确实创建了我的证书,我可以 curl -H "app..mydomain.dev" http(不是 https)
get kcert --all-namespaces
NAMESPACE NAME READY REASON
cert-manager cert-manager.mydomain.dev True
default default.mydomain.dev True
knative-serving knative-serving.mydomin.dev True
kourier-system kourier-system.mydomain.dev True
kube-node-lease kube-node-lease.mydomain.dev True
kube-public kube-public.mydomain.dev True
kube-system kube-system.mydomain.dev True
test test.mydomain.dev True
kubectl get svc -n kourier-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kourier NodePort 10.96.38.63 <none> 80:30789/TCP,443:30670/TCP 31h
kourier-internal ClusterIP 10.101.145.191 <none> 80/TCP 31h
openssl s_client -connect mydomain.dev:443
CONNECTED(00000005)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1621705659
Timeout : 7200 (sec)
Verify return code: 0 (ok)
curl -H "Host: helloworld-go.default.mydomain.dev" http://mydomain.dev
Hello Hello Knative Serving is up and running with Kourier!!!
curl -iv -H "Host: helloworld-go.default.mydomain.dev" https://mydomain.dev
* Trying <ip address>...
* TCP_NODELAY set
* Connected to mydomain.dev (<ip address>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to mydomain.dev:443
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to mydomain.dev:443 ```
我注意到您正在连接到 https://mydomain.dev,但为不同的域传递主机 header。我的猜测是 curl 正在发送 mydomain.dev 证书的 SNI 请求;由于 networking-ns-cert 将为 *.<namespace>.my domain.dev 获取通配符证书,服务器可能没有与 SNI 请求匹配的证书,并关闭了 TCP 连接。
尝试使用 curl 的 -kvv 选项(而不是 -v)来打印更详细的调试信息并绕过一些 SSL 错误。由于您设置了 DNS 和证书,我会尝试:
curl -kvv https://helloworld-go.default.mydomain.dev
kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.0", GitCommit:"cb303e613a121a29364f75cc67d3d580833a7479", GitTreeState:"clean", BuildDate:"2021-04-08T21:16:14Z", GoVersion:"go1.16.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.1", GitCommit:"5e58841cce77d4bc13713ad2b91fa0d961e69192", GitTreeState:"clean", BuildDate:"2021-05-12T14:12:29Z", GoVersion:"go1.16.4", Compiler:"gc", Platform:"linux/amd64"}
运行 在 Ubuntu 20.04
已安装:
https://knative.dev/docs/install/install-serving-with-yaml/
尝试了所有网络层 - 这个是 运行 kourier 和 cert-manager
我安装了“networking-ns-cert”并使用 DNS01 - 基本上如下:
https://knative.dev/docs/install/install-serving-with-yaml/
我确实创建了我的证书,我可以 curl -H "app..mydomain.dev" http(不是 https)
get kcert --all-namespaces
NAMESPACE NAME READY REASON
cert-manager cert-manager.mydomain.dev True
default default.mydomain.dev True
knative-serving knative-serving.mydomin.dev True
kourier-system kourier-system.mydomain.dev True
kube-node-lease kube-node-lease.mydomain.dev True
kube-public kube-public.mydomain.dev True
kube-system kube-system.mydomain.dev True
test test.mydomain.dev True
kubectl get svc -n kourier-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kourier NodePort 10.96.38.63 <none> 80:30789/TCP,443:30670/TCP 31h
kourier-internal ClusterIP 10.101.145.191 <none> 80/TCP 31h
openssl s_client -connect mydomain.dev:443
CONNECTED(00000005)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1621705659
Timeout : 7200 (sec)
Verify return code: 0 (ok)
curl -H "Host: helloworld-go.default.mydomain.dev" http://mydomain.dev
Hello Hello Knative Serving is up and running with Kourier!!!
curl -iv -H "Host: helloworld-go.default.mydomain.dev" https://mydomain.dev
* Trying <ip address>...
* TCP_NODELAY set
* Connected to mydomain.dev (<ip address>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to mydomain.dev:443
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to mydomain.dev:443 ```
我注意到您正在连接到 https://mydomain.dev,但为不同的域传递主机 header。我的猜测是 curl 正在发送 mydomain.dev 证书的 SNI 请求;由于 networking-ns-cert 将为 *.<namespace>.my domain.dev 获取通配符证书,服务器可能没有与 SNI 请求匹配的证书,并关闭了 TCP 连接。
尝试使用 curl 的 -kvv 选项(而不是 -v)来打印更详细的调试信息并绕过一些 SSL 错误。由于您设置了 DNS 和证书,我会尝试:
curl -kvv https://helloworld-go.default.mydomain.dev