GKE Nginx入口-设置主机导致400无需SSL证书

GKE Nginx入口-设置主机导致400无需SSL证书,nginx,google-kubernetes-engine,kubernetes-ingress,nginx-ingress,Nginx,Google Kubernetes Engine,Kubernetes Ingress,Nginx Ingress,我在GKE 1.16.13-GKE.401中使用nginx入口 我的配置 apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: api-ingress namespace: development annotations: nginx.ingress.kubernetes.io/rewrite-target: /$1 nginx.ingress.kubernetes.io/backend

我在GKE 1.16.13-GKE.401中使用nginx入口

我的配置

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: api-ingress
  namespace: development
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$1
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    kubernetes.io/ingress.class: "nginx"
    # Enable client certificate authentication
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
    # Create the secret containing the trusted ca certificates
    nginx.ingress.kubernetes.io/auth-tls-secret: "development/client-cert-api-ingress"
    # Specify the verification depth in the client certificates chain
    nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
    # Automatically redirect http to https
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    # Use regex in paths
    nginx.ingress.kubernetes.io/use-regex: "true"
    # For notifications we add the proxy headers
    nginx.ingress.kubernetes.io/configuration-snippet: |  
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
spec:
  tls:
    - hosts:
      - example.com
      secretName: api-tls-certificate
  rules:
  - host: example.com
    http:
      paths:
      - path: /(.*)
        backend:
          serviceName: v2-api-frontend
          servicePort: 443
Nginx控制器配置:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingressnginx/controller-v0.40.2/deploy/static/provider/cloud/deploy.yaml
问题

调用
curl-k--cert my-cert.pem--key my-cert.keyhttps://MY_IP/ --当指定了
rules.Host
时,标题“Host:example.com”
不起作用

如果我正在指定
规则。主机
服务器以

400错误请求 未发送所需的SSL证书

如果我没有指定
rules.host
的话,curl可以正常工作

我怎样才能解决这个问题

编辑1:

似乎是我签发的自签名客户端证书导致了问题

使用以下脚本创建:

#!/bin/bash
# USE: ./build-client-cert.sh <CERTNAME> <EXPR_DAYS>

# How to generate client certificate
# based on https://www.makethenmakeinstall.com/2014/05/ssl-client-authentication-step-by-step/

openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.req
openssl x509 -req -in client.req -CA rootCA.crt -CAkey rootCA.key -set_serial 101 -extensions client -days $2 -outform PEM -out client.cer
openssl pkcs12 -export -inkey client.key -in client.cer -out $1.p12
rm client.key client.cer client.req
#!/bin/bash

# https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309

openssl genrsa -des3 -out rootCA.key 4096

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

如果忽略ssl检查,输出是什么<代码>curl-IL“Host:example.com”https://MY_IP -k
?HTTP/2400日期:周二,2020年10月20日11:54:26 GMT内容类型:text/html内容长度:230有趣的是你说:如果你不指定
规则。主机
一切正常。那么证书是与
example.com
一起颁发的?这是自我暗示吗?请提供更多详细信息。它是自签名的。似乎是我颁发的客户端证书导致了这个问题。使用cloudflare客户端证书可以正常工作。我将添加用于创建有问题的客户端证书的代码。@KoopaKillerCoul请告诉我您是如何创建证书和CA的机密的?