传出集群流量的 SSL 证书验证错误
SSL certificate verification error on outgoing cluster traffic
错误描述
我的集群使用 Istio,其中部署在网格中的服务 (java) 需要使用 http 和 443 端口连接到外部资源 x.cmp.net/doc.pdf。此外部资源使用受信任的通配符证书 (DigiCert),主题为 *.cmp.net 和 cmp.net。
当我尝试使用 openssl 验证(从应用程序容器)ssl 证书时,我得到 Google cert (?? istio cert ?):
opt$ **openssl s_client -showcerts -connect x.cmp.net:443**
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1
---
Certificate chain
0 s:CN = *.google.com
应用程序是用 java 编写的,当应用程序尝试下载资源时获取:
No subject alternative DNS name matching shipjobmt.ista.net found.
我的配置:
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: internalnet
namespace: ppct
spec:
hosts:
- x.cmp.net
- y.cmp.net
- z.cmp.net
exportTo:
- "."
ports:
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: xinternalnet
namespace: ppct
spec:
host: x.cmp.net
trafficPolicy:
tls:
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: yinternalnet
namespace: ppct
spec:
host: y.cmp.net
trafficPolicy:
tls:
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: zinternalnet
namespace: ppct
spec:
host: z.cmp.net
trafficPolicy:
tls:
mode: SIMPLE
我也开启了拦截模式:
kubectl get istiooperator installed-state -n istio-system -o jsonpath='{.spec.meshConfig.outboundTrafficPolicy.mode}'
REGISTRY_ONLY
版本
`istioctl version`
client version: 1.11.0
control plane version: 1.11.0
data plane version: 1.11.0 (65 proxies)
`kubectl version --short`
Client Version: v1.19.9
Server Version: v1.19.9
附加信息
无回应
您的问题似乎与双重 TLS 有关(您可以阅读更多内容 here)。
有两种可能的解决方案:
解决方案 1
在 ServiceEntry 中将协议定义为重定向到 443 的 HTTP
spec:
hosts:
- ...
ports:
- number: 80
name: http
protocol: HTTP
targetPort: 443
解决方案 2
为 DestinationRule
的传出流量禁用 TLS
trafficPolicy:
tls:
mode: DISABLE
错误描述
我的集群使用 Istio,其中部署在网格中的服务 (java) 需要使用 http 和 443 端口连接到外部资源 x.cmp.net/doc.pdf。此外部资源使用受信任的通配符证书 (DigiCert),主题为 *.cmp.net 和 cmp.net。
当我尝试使用 openssl 验证(从应用程序容器)ssl 证书时,我得到 Google cert (?? istio cert ?):
opt$ **openssl s_client -showcerts -connect x.cmp.net:443**
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1
---
Certificate chain
0 s:CN = *.google.com
应用程序是用 java 编写的,当应用程序尝试下载资源时获取:
No subject alternative DNS name matching shipjobmt.ista.net found.
我的配置:
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: internalnet
namespace: ppct
spec:
hosts:
- x.cmp.net
- y.cmp.net
- z.cmp.net
exportTo:
- "."
ports:
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: xinternalnet
namespace: ppct
spec:
host: x.cmp.net
trafficPolicy:
tls:
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: yinternalnet
namespace: ppct
spec:
host: y.cmp.net
trafficPolicy:
tls:
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: zinternalnet
namespace: ppct
spec:
host: z.cmp.net
trafficPolicy:
tls:
mode: SIMPLE
我也开启了拦截模式:
kubectl get istiooperator installed-state -n istio-system -o jsonpath='{.spec.meshConfig.outboundTrafficPolicy.mode}'
REGISTRY_ONLY
版本
`istioctl version`
client version: 1.11.0
control plane version: 1.11.0
data plane version: 1.11.0 (65 proxies)
`kubectl version --short`
Client Version: v1.19.9
Server Version: v1.19.9
附加信息
无回应
您的问题似乎与双重 TLS 有关(您可以阅读更多内容 here)。 有两种可能的解决方案:
解决方案 1
在 ServiceEntry 中将协议定义为重定向到 443 的 HTTP
spec:
hosts:
- ...
ports:
- number: 80
name: http
protocol: HTTP
targetPort: 443
解决方案 2
为 DestinationRule
trafficPolicy:
tls:
mode: DISABLE