GKE Nginx入口-设置主机导致400无需SSL证书_Nginx_Google Kubernetes Engine_Kubernetes Ingress_Nginx Ingress

GKE Nginx入口-设置主机导致400无需SSL证书

nginx

GKE Nginx入口-设置主机导致400无需SSL证书,nginx,google-kubernetes-engine,kubernetes-ingress,nginx-ingress,Nginx,Google Kubernetes Engine,Kubernetes Ingress,Nginx Ingress,我在GKE 1.16.13-GKE.401中使用nginx入口我的配置 apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: api-ingress namespace: development annotations: nginx.ingress.kubernetes.io/rewrite-target: /$1 nginx.ingress.kubernetes.io/backend

我在GKE 1.16.13-GKE.401中使用nginx入口

我的配置

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: api-ingress
  namespace: development
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$1
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    kubernetes.io/ingress.class: "nginx"
    # Enable client certificate authentication
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
    # Create the secret containing the trusted ca certificates
    nginx.ingress.kubernetes.io/auth-tls-secret: "development/client-cert-api-ingress"
    # Specify the verification depth in the client certificates chain
    nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
    # Automatically redirect http to https
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    # Use regex in paths
    nginx.ingress.kubernetes.io/use-regex: "true"
    # For notifications we add the proxy headers
    nginx.ingress.kubernetes.io/configuration-snippet: |  
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
spec:
  tls:
    - hosts:
      - example.com
      secretName: api-tls-certificate
  rules:
  - host: example.com
    http:
      paths:
      - path: /(.*)
        backend:
          serviceName: v2-api-frontend
          servicePort: 443

Nginx控制器配置：

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingressnginx/controller-v0.40.2/deploy/static/provider/cloud/deploy.yaml

问题

调用

curl-k--cert my-cert.pem--key my-cert.keyhttps://MY_IP/ --当指定了rules.Host
时，标题“Host:example.com”

不起作用

如果我正在指定

规则。主机服务器以
400错误请求
未发送所需的SSL证书
如果我没有指定rules.host
的话，curl可以正常工作
我怎样才能解决这个问题
编辑1:
似乎是我签发的自签名客户端证书导致了问题
使用以下脚本创建：
#!/bin/bash
# USE: ./build-client-cert.sh <CERTNAME> <EXPR_DAYS>

# How to generate client certificate
# based on https://www.makethenmakeinstall.com/2014/05/ssl-client-authentication-step-by-step/

openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.req
openssl x509 -req -in client.req -CA rootCA.crt -CAkey rootCA.key -set_serial 101 -extensions client -days $2 -outform PEM -out client.cer
openssl pkcs12 -export -inkey client.key -in client.cer -out $1.p12
rm client.key client.cer client.req

#!/bin/bash

# https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309

openssl genrsa -des3 -out rootCA.key 4096

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

如果忽略ssl检查，输出是什么<代码>curl-IL“Host:example.com”https://MY_IP -k
？HTTP/2400日期：周二，2020年10月20日11:54:26 GMT内容类型：text/html内容长度：230有趣的是你说：如果你不指定规则。主机
一切正常。那么证书是与example.com
一起颁发的？这是自我暗示吗？请提供更多详细信息。它是自签名的。似乎是我颁发的客户端证书导致了这个问题。使用cloudflare客户端证书可以正常工作。我将添加用于创建有问题的客户端证书的代码。@KoopaKillerCoul请告诉我您是如何创建证书和CA的机密的？