Fatal编程技术网
  • kubernetes/
  • Kubernetes OpenShift边缘TLS终止路由不工作。CWWKO0801E:无法初始化SSL连接

Kubernetes OpenShift边缘TLS终止路由不工作。CWWKO0801E:无法初始化SSL连接

kubernetes routes openshift

Kubernetes OpenShift边缘TLS终止路由不工作。CWWKO0801E:无法初始化SSL连接,kubernetes,routes,ssl-certificate,openshift,websphere-liberty,Kubernetes,Routes,Ssl Certificate,Openshift,Websphere Liberty,有人能帮我打开轮班路线吗 我已设置带有边缘TLS终端的路由,对服务端点的调用会导致: 502 Bad Gateway The server returned an invalid or incomplete response. pod中的日志有以下错误:我使用端点进行REST调用 CWWKO0801E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have ex

有人能帮我打开轮班路线吗

我已设置带有边缘TLS终端的路由,对服务端点的调用会导致:

502 Bad Gateway
The server returned an invalid or incomplete response.
pod中的日志有以下错误:我使用端点进行REST调用

CWWKO0801E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
    at com.ibm.jsse2.c.a(c.java:6)
    at com.ibm.jsse2.as.a(as.java:532)
    at com.ibm.jsse2.as.unwrap(as.java:580)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:5)
    at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.readyInbound(SSLConnectionLink.java:515)
默认直通路由终止工作!,但这不允许我指定基于路径的路由。因此,尝试使用带有边缘TLS终止的路由我尝试使用单个主机名将流量从/ibm/pmi/service路由到apm pm api服务,并从/ibm/pmi路由到apm pm ui服务

我将SSL证书加载到边缘路由中,liberty服务通过deployment.yaml中定义的机密使用相同的证书

我无法确定此SSL相关错误的根本原因,这是来自wlp liberty应用程序服务器还是openshift路由的问题

关于如何让liberty应用程序正常工作的任何建议

提前谢谢你的帮助

附加route.yaml

kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: openshift-pmi-dev
  namespace: default
  selfLink: /apis/route.openshift.io/v1/namespaces/default/routes/openshift-pmi-dev
  uid: 9ba296f6-1611-11ea-a1ab-0a580afe00ab
  resourceVersion: '6819345'
  creationTimestamp: '2019-12-03T21:12:26Z'
  annotations:
    haproxy.router.openshift.io/balance: roundrobin
    haproxy.router.openshift.io/hsts_header: max age=31536000;includeSubDomains;preload
spec:
  host: openshift-pmi-dev.apps.vapidly.os.fyre.ibm.com
  subdomain: ''
  path: /ibm/pmi/service
  to:
    kind: Service
    name: apm-pm-api-service
    weight: 100
  port:
    targetPort: https
  tls:
    termination: edge
    certificate: |
      -----BEGIN CERTIFICATE-----
      <valid cert>
      -----END CERTIFICATE-----
    key: |
      -----BEGIN RSA PRIVATE KEY-----
      <valid cert>
      -----END RSA PRIVATE KEY-----
    caCertificate: |
      -----BEGIN CERTIFICATE-----
      <valid cert>
      -----END CERTIFICATE-----
    insecureEdgeTerminationPolicy: Redirect
  wildcardPolicy: None
status:
  ingress:
    - host: openshift-pmi-dev.apps.vapidly.os.fyre.ibm.com
      routerName: default
      conditions:
        - type: Admitted
          status: 'True'
          lastTransitionTime: '2019-12-03T21:12:26Z'
      wildcardPolicy: None
      routerCanonicalHostname: apps.vapidly.os.fyre.ibm.com
将路由更改为重新加密,将导致应用程序不可用502错误。请求似乎没有到达服务

边缘终止意味着将http明文发送到后端服务,但您的路由会将http发送到https端口

删除端口:https或使用“重新加密”终止而不是“边缘”

更改以下内容后问题已解决:

在liberty application server.xml上启用http 公开docker文件上的http端口 在service.yaml上启用http端口 使用边缘路由上的http端口。
我尝试了重新加密的路线。但这会导致503应用程序不可用错误。请求似乎没有到达服务。正在使用什么版本的Liberty和OpenShift?OpenShift v4.2和Liberty v19.0.0.10