Fatal编程技术网
  • kubernetes/
  • Kubernetes “如何修复”;“错误证书错误”;在Traefik2.0中?

Kubernetes “如何修复”;“错误证书错误”;在Traefik2.0中?

kubernetes

Kubernetes “如何修复”;“错误证书错误”;在Traefik2.0中?,kubernetes,google-kubernetes-engine,traefik,kubernetes-pod,Kubernetes,Google Kubernetes Engine,Traefik,Kubernetes Pod,我正在使用GKE中的Let's Encrypt certificates设置traefik 2.0-alpha,但现在我对容器日志中的“server.go:3012:http:TLS握手错误(10.32.0.1:2244:远程错误:TLS:bad certificate)”错误感到惊讶 通过http的连接工作正常。当我尝试通过https连接时,traefik返回404,并带有自己的默认证书。 我发现github上的traefik v1也存在同样的问题。解决方案正在添加到配置中: Insecure

我正在使用GKE中的Let's Encrypt certificates设置traefik 2.0-alpha,但现在我对容器日志中的“server.go:3012:http:TLS握手错误(10.32.0.1:2244:远程错误:TLS:bad certificate)”错误感到惊讶

通过http的连接工作正常。当我尝试通过https连接时,traefik返回404,并带有自己的默认证书。 我发现github上的traefik v1也存在同样的问题。解决方案正在添加到配置中:

InsecureSkipVerify = true
passHostHeader = true
这对我没有帮助

这是我的地图

apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-ingress-configmap
  namespace: kube-system
data:
  traefik.toml: |
    [Global]
    sendAnonymousUsage = true
    debug = true
    logLevel = "DEBUG"

    [ServersTransport]
      InsecureSkipVerify = true

    [entrypoints]
      [entrypoints.web]
          address = ":80"
      [entryPoints.web-secure]
          address = ":443"
      [entrypoints.mongo-port]
          address = ":11111"

    [providers]
    [providers.file]
    [tcp] # YAY!
      [tcp.routers]
          [tcp.routers.everything-to-mongo]
            entrypoints = ["mongo-port"]
            rule = "HostSNI(`*`)" # Catches every request
            service = "database"
      [tcp.services]
        [tcp.services.database.LoadBalancer]
          [[tcp.services.database.LoadBalancer.servers]]
            address = "mongodb-service.default.svc:11111"

    [http]
      [http.routers]
        [http.routers.for-jupyterx-https]
          entryPoints = ["web-secure"] # won't listen to entrypoint mongo-port
          # rule = "Host(`clients-ui.ddns.net`)"
          # rule = "Path(`/jupyterx`)" # abo /jupyterx/*
          rule = "PathPrefix(`/jupyterx`)"
          service = "jupyterx"
          [http.routers.for-jupyterx.tls]

        [http.routers.for-jupyterx-http]
          entryPoints = ["web"] # won't listen to entrypoint mongo-port
          # rule = "Host(`clients-ui.ddns.net`)"
          # rule = "Path(`/jupyterx`)" # abo /jupyterx/*
          rule = "PathPrefix(`/jupyterx`)"
          service = "jupyterx"

      [http.services]
        [http.services.jupyterx.LoadBalancer]
        PassHostHeader = true
        # InsecureSkipVerify = true
        [[http.services.jupyterx.LoadBalancer.servers]]
        url = "http://jupyter-service.default.svc/"
        weight = 100

    [acme] # every router with TLS enabled will now be able to use ACME for its certificates
      email = "account@mail.com"
      storage = "acme.json"
    #   onHostRule = true # dynamic generation based on the Host() & HostSNI() matchers
      caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
      [acme.httpChallenge]
          entryPoint = "web" # used during the challenge
和守护程序yaml:

# ---
# apiVersion: v1
# kind: ServiceAccount
# metadata:
#   name: traefik-ingress-controller
#   namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      volumes:
        # - name: traefik-ui-tls-cert
        #   secret:
        #     secretName: traefik-ui-tls-cert
        - name: traefik-ingress-configmap
          configMap:
            name: traefik-ingress-configmap
      containers:
      - image: traefik:2.0 # The official v2.0 Traefik docker image
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: web-secure
          containerPort: 443
          hostPort: 443
        - name: admin
          containerPort: 8080
        - name: mongodb
          containerPort: 11111
        volumeMounts:
          - mountPath: "/config"
            name: "traefik-ingress-configmap"
        args:
        - --api
        - --configfile=/config/traefik.toml
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 443
      name: web-secure
    - protocol: TCP
      port: 8080
      name: admin
    - port: 11111
      protocol: TCP
      name: mongodb
  type: LoadBalancer
  loadBalancerIP: 1.1.1.1
有什么建议,如何修复吗?

由于缺少traefik2.0-alpha的手册,配置文件仅使用traefik官方页面上的手册编写。 这里有一个“HTTP和HTTPS路由器”配置示例,如下所示:

[http.routers]
   [http.routers.Router-1-https]
      rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
      service = "service-id"
      [http.routers.Router-1.tls] # will terminate the TLS request

   [http.routers.Router-1-http]
      rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
      service = "service-id"
但是工作配置看起来像:

[http.routers]
   [http.routers.Router-1-https]
      rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
      service = "service-id"
      [http.routers.Router-1-https.tls] # will terminate the TLS request

   [http.routers.Router-1-http]
      rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
      service = "service-id"
所以,在我的配置字符串中

[http.routers.for-jupyterx.tls]
应该在

[http.routers.for-jupyterx-https.tls]
已修复文档中的打字错误: