nginx ingress以400代码的状态代码拒绝HTTP POST请求

我正在尝试以代理模式部署EJBCA PKI，并使用入口nginx终止所有SSL会话。我能够成功地使其适用于公共/管理web访问、EJBCA web服务和SCEP

我需要验证的最后一个协议是EST，我需要一些帮助。首先，如果我从混合中删除nginx并直接在EJBCA上终止SSL会话，那么我的EST-RA和EJBCA配置就可以工作

当nginx终止与EST-RA的SSL会话时，它会抱怨HTTP请求有问题，并发回http400代码状态。我的EJBCA服务器没有接收任何内容

以下是我的EST入口配置：

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: pki-est
  annotations:
    kubernetes.io/ingress.class: "fanhe-ingress"
spec:
  tls:
  - hosts:
    - nginx-ingress-controller.ingress-nginx
    secretName: nginx-ingress-tls-ec-secret
  rules:
    - host: nginx-ingress-controller.ingress-nginx
      http:
        paths:
        - path: /.well-known/est
          backend:
           serviceName: pki-app
           servicePort: 8082

我启用了入口上的所有调试，下面是我在error.log中看到的内容：

2020/05/18 10:06:52 [debug] 198#198: *15975 http process request line
2020/05/18 10:06:52 [debug] 198#198: *15975 http request line: "POST /.well-known/est/simpleenroll HTTP/1.1"
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'2F:/'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:1 in:'2E:.'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:2 in:'77:w'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'65:e'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6C:l'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6C:l'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'2D:-'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6B:k'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6E:n'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6F:o'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'77:w'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6E:n'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'2F:/'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:1 in:'65:e'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'73:s'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'74:t'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'2F:/'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:1 in:'73:s'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'69:i'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6D:m'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'70:p'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6C:l'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'65:e'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'65:e'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6E:n'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'72:r'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6F:o'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6C:l'
---
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6C:l'
2020/05/18 10:06:52 [debug] 198#198: *15975 http uri: "/.well-known/est/simpleenroll"
2020/05/18 10:06:52 [debug] 198#198: *15975 http args: ""
2020/05/18 10:06:52 [debug] 198#198: *15975 http exten: ""
2020/05/18 10:06:52 [debug] 198#198: *15975 http process request header line
2020/05/18 10:06:52 [debug] 198#198: *15975 http header: "User-Agent: libest 3.1.1"
2020/05/18 10:06:52 [debug] 198#198: *15975 http header: "Connection: close"
2020/05/18 10:06:52 [debug] 198#198: *15975 http header: "Host: nginx-ingress-controller.ingress-nginx:443"
2020/05/18 10:06:52 [debug] 198#198: *15975 http header: "Accept: */*"
2020/05/18 10:06:52 [debug] 198#198: *15975 http header: "Content-Type: application/pkcs10"
2020/05/18 10:06:52 [debug] 198#198: *15975 http header: "Content-Length: 366"
2020/05/18 10:06:52 [debug] 198#198: *15975 http header done
2020/05/18 10:06:52 [info] 198#198: *15975 client SSL certificate verify error: (19:self signed certificate in certificate chain) while reading client request headers, client: fd10::1:165, server: nginx-ingress-controller.ingress-nginx, request: "POST /.well-known/est/simpleenroll HTTP/1.1", host: "nginx-ingress-controller.ingress-nginx:443"
2020/05/18 10:06:52 [debug] 198#198: *15975 http finalize request: 495, "/.well-known/est/simpleenroll?" a:1, c:1
2020/05/18 10:06:52 [debug] 198#198: *15975 event timer del: 3: 947664613
2020/05/18 10:06:52 [debug] 198#198: *15975 http special response: 495, "/.well-known/est/simpleenroll?"
2020/05/18 10:06:52 [debug] 198#198: *15975 http set discard body
2020/05/18 10:06:52 [debug] 198#198: *15975 headers more header filter, uri "/.well-known/est/simpleenroll"
2020/05/18 10:06:52 [debug] 198#198: *15975 lua header filter for user lua code, uri "/.well-known/est/simpleenroll"
2020/05/18 10:06:52 [debug] 198#198: *15975 lua capture header filter, uri "/.well-known/est/simpleenroll"
2020/05/18 10:06:52 [debug] 198#198: *15975 HTTP/1.1 400 Bad Request
Server: openresty/1.15.8.1
Date: Mon, 18 May 2020 10:06:52 GMT
Content-Type: text/html
Content-Length: 221
Connection: close

2020/05/18 10:06:52 [debug] 198#198: *15975 write new buf t:1 f:0 0000558A2B30B250, pos 0000558A2B30B250, size: 158 file: 0, size: 0
2020/05/18 10:06:52 [debug] 198#198: *15975 http write filter: l:0 f:0 s:158
2020/05/18 10:06:52 [debug] 198#198: *15975 http output filter "/.well-known/est/simpleenroll?"
2020/05/18 10:06:52 [debug] 198#198: *15975 http copy filter: "/.well-known/est/simpleenroll?"
2020/05/18 10:06:52 [debug] 198#198: *15975 lua body filter for user lua code, uri "/.well-known/est/simpleenroll"
2020/05/18 10:06:52 [debug] 198#198: *15975 lua capture body filter, uri "/.well-known/est/simpleenroll"
2020/05/18 10:06:52 [debug] 198#198: *15975 http postpone filter "/.well-known/est/simpleenroll?" 0000558A2B30B438
2020/05/18 10:06:52 [debug] 198#198: *15975 write old buf t:1 f:0 0000558A2B30B250, pos 0000558A2B30B250, size: 158 file: 0, size: 0
2020/05/18 10:06:52 [debug] 198#198: *15975 write new buf t:0 f:0 0000000000000000, pos 0000558A2A15AEA0, size: 162 file: 0, size: 0
2020/05/18 10:06:52 [debug] 198#198: *15975 write new buf t:0 f:0 0000000000000000, pos 0000558A2A15BE20, size: 59 file: 0, size: 0
2020/05/18 10:06:52 [debug] 198#198: *15975 http write filter: l:1 f:0 s:379
2020/05/18 10:06:52 [debug] 198#198: *15975 http write filter limit 0
2020/05/18 10:06:52 [debug] 198#198: *15975 malloc: 0000558A2B318CC0:4096
2020/05/18 10:06:52 [debug] 198#198: *15975 SSL buf copy: 158
2020/05/18 10:06:52 [debug] 198#198: *15975 SSL buf copy: 162
2020/05/18 10:06:52 [debug] 198#198: *15975 SSL buf copy: 59
2020/05/18 10:06:52 [debug] 198#198: *15975 SSL to write: 379
2020/05/18 10:06:52 [debug] 198#198: *15975 SSL_write: 379
2020/05/18 10:06:52 [debug] 198#198: *15975 http write filter 0000000000000000
2020/05/18 10:06:52 [debug] 198#198: *15975 http copy filter: 0 "/.well-known/est/simpleenroll?"
2020/05/18 10:06:52 [debug] 198#198: *15975 http finalize request: 0, "/.well-known/est/simpleenroll?" a:1, c:1
2020/05/18 10:06:52 [debug] 198#198: *15975 event timer add: 3: 5000:947609618
2020/05/18 10:06:52 [debug] 198#198: *15975 http lingering close handler
2020/05/18 10:06:52 [debug] 198#198: *15975 SSL_read: 0
2020/05/18 10:06:52 [debug] 198#198: *15975 SSL_get_error: 6
2020/05/18 10:06:52 [debug] 198#198: *15975 peer shutdown SSL cleanly
2020/05/18 10:06:52 [debug] 198#198: *15975 lingering read: 0
2020/05/18 10:06:52 [debug] 198#198: *15975 http request count:1 blk:0
2020/05/18 10:06:52 [debug] 198#198: *15975 http close request
2020/05/18 10:06:52 [debug] 198#198: *15975 lua log handler, uri:"/.well-known/est/simpleenroll" c:0
2020/05/18 10:06:52 [debug] 198#198: *15975 http log handler
2020/05/18 10:06:52 [debug] 198#198: *15975 http map started
2020/05/18 10:06:52 [debug] 198#198: *15975 http script var: "/.well-known/est/simpleenroll"
2020/05/18 10:06:52 [debug] 198#198: *15975 http map: "/.well-known/est/simpleenroll" "1"
2020/05/18 10:06:52 [debug] 198#198: *15975 http script var: "1"
2020/05/18 10:06:52 [debug] 198#198: *15975 http map started
2020/05/18 10:06:52 [debug] 198#198: *15975 http script var: "fd10::1:165"
2020/05/18 10:06:52 [debug] 198#198: *15975 http map: "" "fd10::1:165"
2020/05/18 10:06:52 [debug] 198#198: *15975 http map started
2020/05/18 10:06:52 [debug] 198#198: *15975 http script var: "39bef9f98c79778373515fb72f84e249"
2020/05/18 10:06:52 [debug] 198#198: *15975 http map: "" "39bef9f98c79778373515fb72f84e249"
2020/05/18 10:06:52 [debug] 198#198: *15975 free: 0000558A2B30A480, unused: 7
2020/05/18 10:06:52 [debug] 198#198: *15975 free: 0000558A2B279FC0, unused: 1974
2020/05/18 10:06:52 [debug] 198#198: *15975 close http connection: 3

从这些日志中，我看不出nginx拒绝请求的任何明显原因

我确实使用与est ra完全相同的证书，尝试了与Postman相同的HTTP请求，并且成功了！！。见以下日志：

2020/05/18 22:52:02 [debug] 671#671: *172624 http process request line
2020/05/18 22:52:02 [debug] 671#671: *172624 http request line: "POST /.well-known/est/simpleenroll HTTP/1.1"
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'2F:/'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:1 in:'2E:.'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:2 in:'77:w'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'65:e'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6C:l'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6C:l'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'2D:-'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6B:k'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6E:n'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6F:o'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'77:w'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6E:n'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'2F:/'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:1 in:'65:e'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'73:s'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'74:t'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'2F:/'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:1 in:'73:s'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'69:i'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6D:m'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'70:p'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6C:l'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'65:e'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'65:e'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6E:n'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'72:r'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6F:o'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6C:l'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6C:l'
2020/05/18 22:52:02 [debug] 671#671: *172624 http uri: "/.well-known/est/simpleenroll"
2020/05/18 22:52:02 [debug] 671#671: *172624 http args: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http exten: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http process request header line
2020/05/18 22:52:02 [debug] 671#671: *172624 http header: "User-Agent: libest 3.1.1"
2020/05/18 22:52:02 [debug] 671#671: *172624 http header: "Connection: close"
2020/05/18 22:52:02 [debug] 671#671: *172624 http header: "Host: nginx-ingress-controller.ingress-nginx:443"
2020/05/18 22:52:02 [debug] 671#671: *172624 http header: "Accept: */*"
2020/05/18 22:52:02 [debug] 671#671: *172624 http header: "Content-Type: application/pkcs10"
2020/05/18 22:52:02 [debug] 671#671: *172624 http header: "Authorization: Basic cmEtYXBwOkZiV241M2p3"
2020/05/18 22:52:02 [debug] 671#671: *172624 http header: "Content-Length: 280"
2020/05/18 22:52:02 [debug] 671#671: *172624 http header done
2020/05/18 22:52:02 [debug] 671#671: *172624 event timer del: 6: 993574054
2020/05/18 22:52:02 [debug] 671#671: *172624 generic phase: 0
2020/05/18 22:52:02 [debug] 671#671: *172624 rewrite phase: 1
2020/05/18 22:52:02 [debug] 671#671: *172624 rewrite phase: 2
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: "-"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $proxy_upstream_name
2020/05/18 22:52:02 [debug] 671#671: *172624 test location: "/"
2020/05/18 22:52:02 [debug] 671#671: *172624 test location: "ejbca/ejbcaws"
2020/05/18 22:52:02 [debug] 671#671: *172624 test location: ".well-known/est"
2020/05/18 22:52:02 [debug] 671#671: *172624 using configuration "/.well-known/est"
2020/05/18 22:52:02 [debug] 671#671: *172624 http cl:280 max:0
2020/05/18 22:52:02 [debug] 671#671: *172624 rewrite phase: 4
2020/05/18 22:52:02 [debug] 671#671: *172624 rewrite phase: 5
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: "default"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $namespace
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: "pki-est"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $ingress_name
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: "pki-app"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $service_name
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: "{0 8082 }"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $service_port
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: "/.well-known/est"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $location_path
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "https"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: "https"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script equal
2020/05/18 22:52:02 [debug] 671#671: *172624 http script if
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: "-1"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $balancer_ewma_score
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: "default-pki-app-8082"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $proxy_upstream_name
2020/05/18 22:52:02 [debug] 671#671: *172624 http script complex value
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "default-pki-app-8082"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $proxy_host
2020/05/18 22:52:02 [debug] 671#671: *172624 http script complex value
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "https"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $pass_access_scheme
2020/05/18 22:52:02 [debug] 671#671: *172624 http script complex value
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "443"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $pass_server_port
2020/05/18 22:52:02 [debug] 671#671: *172624 http script complex value
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "nginx-ingress-controller.ingress-nginx:443"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $best_http_host
2020/05/18 22:52:02 [debug] 671#671: *172624 http script complex value
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "443"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $pass_port
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $proxy_alternative_upstream_name
2020/05/18 22:52:02 [debug] 671#671: *172624 rewrite phase: 6
2020/05/18 22:52:02 [debug] 671#671: *172624 lua rewrite handler, uri:"/.well-known/est/simpleenroll" c:1
2020/05/18 22:52:02 [debug] 671#671: *172624 looking up Lua code cache with key '=rewrite_by_lua(nginx.conf:1274)nhli_dbdd52ba6d647a948759533fd68b064c'
2020/05/18 22:52:02 [debug] 671#671: *172624 lua creating new thread
2020/05/18 22:52:02 [debug] 671#671: *172624 lua reset ctx
2020/05/18 22:52:02 [debug] 671#671: *172624 http cleanup add: 0000558A2B3E0AB0
2020/05/18 22:52:02 [debug] 671#671: *172624 lua run thread, top:0 c:1
2020/05/18 22:52:02 [debug] 671#671: *172624 add cleanup: 0000558A2B3348A0
2020/05/18 22:52:02 [debug] 671#671: *172624 lua resume returned 0
2020/05/18 22:52:02 [debug] 671#671: *172624 lua light thread ended normally
2020/05/18 22:52:02 [debug] 671#671: *172624 lua deleting light thread
2020/05/18 22:52:02 [debug] 671#671: *172624 post rewrite phase: 7
2020/05/18 22:52:02 [debug] 671#671: *172624 generic phase: 8
2020/05/18 22:52:02 [debug] 671#671: *172624 generic phase: 9
2020/05/18 22:52:02 [debug] 671#671: *172624 generic phase: 10
2020/05/18 22:52:02 [debug] 671#671: *172624 access phase: 11
2020/05/18 22:52:02 [debug] 671#671: *172624 access phase: 12
2020/05/18 22:52:02 [debug] 671#671: *172624 access phase: 13
2020/05/18 22:52:02 [debug] 671#671: *172624 access phase: 14
2020/05/18 22:52:02 [debug] 671#671: *172624 post access phase: 15
2020/05/18 22:52:02 [debug] 671#671: *172624 generic phase: 16
2020/05/18 22:52:02 [debug] 671#671: *172624 generic phase: 17
2020/05/18 22:52:02 [debug] 671#671: *172624 http client request body preread 280
2020/05/18 22:52:02 [debug] 671#671: *172624 http request body content length filter
2020/05/18 22:52:02 [debug] 671#671: *172624 http body new buf t:1 f:0 0000558A2B42FB5D, pos 0000558A2B42FB5D, size: 280 file: 0, size: 0
2020/05/18 22:52:02 [debug] 671#671: *172624 http init upstream, client timer: 0
2020/05/18 22:52:02 [debug] 671#671: *172624 epoll add event: fd:6 op:3 ev:80002005
2020/05/18 22:52:02 [debug] 671#671: *172624 http map started
2020/05/18 22:52:02 [debug] 671#671: *172624 http map: "" ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http map started
2020/05/18 22:52:02 [debug] 671#671: *172624 posix_memalign: 0000558A2B2F54F0:4096 @16
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "80e3ae7c2495fcdc7ebe9b658dd579bc"
2020/05/18 22:52:02 [debug] 671#671: *172624 http map: "" "80e3ae7c2495fcdc7ebe9b658dd579bc"
2020/05/18 22:52:02 [debug] 671#671: *172624 http map started
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "fdff::a3d:fafb"
2020/05/18 22:52:02 [debug] 671#671: *172624 http map: "" "fdff::a3d:fafb"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "Host"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "nginx-ingress-controller.ingress-nginx:443"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "ssl-client-verify"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "NONE"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "X-Request-ID"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "80e3ae7c2495fcdc7ebe9b658dd579bc"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "X-Real-IP"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "fdff::a3d:fafb"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "X-Forwarded-For"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "fdff::a3d:fafb"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "X-Forwarded-Host"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "nginx-ingress-controller.ingress-nginx:443"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "X-Forwarded-Port"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "443"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "X-Forwarded-Proto"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "https"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "X-Original-URI"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "/.well-known/est/simpleenroll"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "X-Scheme"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "https"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "Content-Length"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "280"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header: "User-Agent: libest 3.1.1"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header: "Accept: */*"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header: "Content-Type: application/pkcs10"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header: "Authorization: Basic cmEtYXBwOkZiV241M2p3"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header:
"POST /.well-known/est/simpleenroll HTTP/1.1
Host: nginx-ingress-controller.ingress-nginx:443
ssl-client-verify: NONE
X-Request-ID: 80e3ae7c2495fcdc7ebe9b658dd579bc
X-Real-IP: fdff::a3d:fafb
X-Forwarded-For: fdff::a3d:fafb
X-Forwarded-Host: nginx-ingress-controller.ingress-nginx:443
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Original-URI: /.well-known/est/simpleenroll
X-Scheme: https
Content-Length: 280
User-Agent: libest 3.1.1
Accept: */*
Content-Type: application/pkcs10
Authorization: Basic cmEtYXBwOkZiV241M2p3

"
2020/05/18 22:52:02 [debug] 671#671: *172624 http cleanup add: 0000558A2B2F58A8
2020/05/18 22:52:02 [debug] 671#671: *172624 init keepalive peer
2020/05/18 22:52:02 [debug] 671#671: *172624 get keepalive peer
2020/05/18 22:52:02 [debug] 671#671: *172624 lua balancer peer, tries: 1
2020/05/18 22:52:02 [debug] 671#671: *172624 lua reset ctx
2020/05/18 22:52:02 [debug] 671#671: *172624 looking up Lua code cache with key 'balancer_by_luanhli_0f29762dfd828b8baa4d895affbc4b90'
2020/05/18 22:52:02 [debug] 671#671: *172624 stream socket 10
2020/05/18 22:52:02 [debug] 671#671: *172624 epoll add connection: fd:10 ev:80002005
2020/05/18 22:52:02 [debug] 671#671: *172624 connect to [fd10::1:169]:8082, fd:10 #172625
2020/05/18 22:52:02 [debug] 671#671: *172624 http upstream connect: -2
2020/05/18 22:52:02 [debug] 671#671: *172624 posix_memalign: 0000558A2B34D0A0:128 @16
2020/05/18 22:52:02 [debug] 671#671: *172624 event timer add: 10: 5000:993519304
2020/05/18 22:52:02 [debug] 671#671: *172624 http finalize request: -4, "/.well-known/est/simpleenroll?" a:1, c:2
2020/05/18 22:52:02 [debug] 671#671: *172624 http request count:2 blk:0
2020/05/18 22:52:02 [debug] 671#671: *172624 http run request: "/.well-known/est/simpleenroll?"
2020/05/18 22:52:02 [debug] 671#671: *172624 http upstream check client, write event:1, "/.well-known/est/simpleenroll"
2020/05/18 22:52:02 [debug] 671#671: *172624 http upstream request: "/.well-known/est/simpleenroll?"
2020/05/18 22:52:02 [debug] 671#671: *172624 http upstream send request handler
2020/05/18 22:52:02 [debug] 671#671: *172624 http upstream send request
2020/05/18 22:52:02 [debug] 671#671: *172624 http upstream send request body
2020/05/18 22:52:02 [debug] 671#671: *172624 chain writer buf fl:0 s:542
2020/05/18 22:52:02 [debug] 671#671: *172624 chain writer buf fl:1 s:280
2020/05/18 22:52:02 [debug] 671#671: *172624 chain writer in: 0000558A2B2F59F8
2020/05/18 22:52:02 [debug] 671#671: *172624 writev: 822 of 822
2020/05/18 22:52:02 [debug] 671#671: *172624 chain writer out: 0000000000000000
2020/05/18 22:52:02 [debug] 671#671: *172624 event timer del: 10: 993519304
2020/05/18 22:52:02 [debug] 671#671: *172624 event timer add: 10: 60000:993574308
2020/05/18 22:52:02 [debug] 671#671: *172624 http upstream request: "/.well-known/est/simpleenroll?"
2020/05/18 22:52:02 [debug] 671#671: *172624 http upstream process header
2020/05/18 22:52:02 [debug] 671#671: *172624 malloc: 0000558A2B33E000:4096
2020/05/18 22:52:02 [debug] 671#671: *172624 recv: eof:0, avail:1
2020/05/18 22:52:02 [debug] 671#671: *172624 recv: fd:10 911 of 4096
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy status 200 "200 OK"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header: "Connection: keep-alive"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header: "Content-Transfer-Encoding: base64"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header: "Content-Type: application/pkcs7-mime; smime-type=certs-only"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header: "Content-Length: 714"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header: "Date: Mon, 18 May 2020 22:52:02 GMT"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header done
2020/05/18 22:52:02 [debug] 671#671: *172624 headers more header filter, uri "/.well-known/est/simpleenroll"
2020/05/18 22:52:02 [debug] 671#671: *172624 lua header filter for user lua code, uri "/.well-known/est/simpleenroll"
2020/05/18 22:52:02 [debug] 671#671: *172624 looking up Lua code cache with key 'header_filter_by_luanhli_537482850bfc85b842f10d9c3d0521aa'
2020/05/18 22:52:02 [debug] 671#671: *172624 lua capture header filter, uri "/.well-known/est/simpleenroll"
2020/05/18 22:52:02 [debug] 671#671: *172624 HTTP/1.1 200 OK
Server: openresty/1.15.8.1
Date: Mon, 18 May 2020 22:52:02 GMT
Content-Type: application/pkcs7-mime; smime-type=certs-only
Content-Length: 714
Connection: close
Content-Transfer-Encoding: base64
Strict-Transport-Security: max-age=15724800; includeSubDomains

任何建议都将不胜感激

---

谢谢，

这一行就是原因

2020/05/18 10:06:52 [info] 198#198: *15975 client SSL certificate verify error: (19:self signed certificate in certificate chain) while reading client request headers, client: fd10::1:165, server: nginx-ingress-controller.ingress-nginx, request: "POST /.well-known/est/simpleenroll HTTP/1.1", host: "nginx-ingress-controller.ingress-nginx:443"

您的协议似乎正在使用TLS客户端证书。无法使用TLS客户端证书反向代理连接，因为nginx入口没有私钥

您可以将nginx入口配置为使用带有一些注释的客户端证书（），但您的后端服务器将无法“查看”客户端证书，因此它可能会拒绝该请求

---

我要么想办法不使用客户端证书（看起来EST也可以使用user+password？），要么直接公开TCP服务。

在您的入口中，有几件事我想评论一下，这可能会导致您的问题：

kubernetes.io/ingress.class: "fanhe-ingress"

此字段应填写在kubernetes.io下注册的预定义ingress.class名称，而不是您创建的名称

您必须使用

kubernetes.io/ingres.class:“nginx”

spec:
  tls:
  - hosts:
    - nginx-ingress-controller.ingress-nginx
    secretName: nginx-ingress-tls-ec-secret
  rules:
    - host: nginx-ingress-controller.ingress-nginx

hosts和host应该是用于从外部访问应用程序的域名。此名称应与创建tls证书时使用的名称相同

应该是这样的：

spec:
 tls:
 - hosts:
   - yourwebsiteurl.com
   secretName: nginx-ingress-tls-ec-secret
 rules:
   - host: yourwebsiteurl.com

请再次检查您的路径，路径可以包含

（点），但这不是经常使用的

path: /.well-known/est

应该是这样的：

path: /well-known/est

总结所有内容，您的入口应该类似于以下内容

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
 name: pki-est
 annotations:
   kubernetes.io/ingress.class: "nginx"
spec:
 tls:
 - hosts:
   - yourwebsiteurl.com
   secretName: nginx-ingress-tls-ec-secret
 rules:
   - host: yourwebsiteurl.com
     http:
       paths:
       - path: /well-known/est
         backend:
          serviceName: pki-app
          servicePort: 8082

---

好吧，我终于想明白了@迪尔拜奥，你是对的，问题似乎与证书有关。我意识到我的邮递员配置不正确，一旦我修复了它，我就能够重现pb并开始看到HTTP 400错误请求-SSL证书错误

我将其缩小为以下入口配置：

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
 name: pki-ws
 annotations:
   nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional"
   nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
   nginx.ingress.kubernetes.io/auth-tls-secret: "default/managementca"
   nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
   nginx.ingress.kubernetes.io/configuration-snippet: |
     proxy_set_header SSL_CLIENT_CERT $ssl_client_cert;
   kubernetes.io/ingress.class: "fanhe-ingress"
spec:
 tls:
 - hosts:
   - nginx-ingress-controller.ingress-nginx
   secretName: nginx-ingress-tls
 rules:
   - host: nginx-ingress-controller.ingress-nginx
     http:
       paths:
       - path: /ejbca/ejbcaws
         backend:
          serviceName: pki-app
          servicePort: 8082
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: pki-est
  annotations:
    kubernetes.io/ingress.class: "fanhe-ingress"
spec:
  tls:
  - hosts:
    - nginx-ingress-controller.ingress-nginx
    secretName: nginx-ingress-tls
  rules:
    - host: nginx-ingress-controller.ingress-nginx
      http:
        paths:
        - path: /.well-known/est
          backend:
           serviceName: pki-app
           servicePort: 8082

因为两者共享同一个主机，我想这两个配置都合并到了nginx中，所以所有的注释都应用于这两个路径。我的EST客户端发出的CA与“默认/管理CA”不同，nginx无法对其进行正确身份验证

我通过使用两个不同的主机和一个带有多个SAN的证书修复了它

---

谢谢你的帮助。非常感谢。

感谢您的回复@Dirbaio。以下几点注释：-入口和EJBCA（backen服务器）之间的通信仅通过HTTP进行。TLS在入口处停止。-邮递员使用与我的est ra相同的客户端证书发布相同的HTTP帖子（没有SSL错误消息）。-配置入口以验证客户端证书不会改变任何事情。我不明白为什么这个SSL错误会在TLS会话结束后出现。不可能通过未经加密的HTTP获得客户端证书。如果您使用客户端证书执行邮递员的请求，那么您可能是通过HTTPS而不是HTTP执行的。无论哪种方式，由于加密的工作方式，都不可能使用客户端证书反转代理请求（nginx Ingres没有客户端证书的私钥）。你需要找到一个不涉及反向代理的替代方案。对不起，我不同意你的观点。是的，我正在使用HTTPS和Postman，TLS会话在入口终止。然后ingres通过HTTP将HTTP POST请求转发到后端服务器。您可以尝试SSL passthrough，它应该能够通过客户端证书Hi@mWatney，让我回答您的所有问题：1-ingres类：我在传递给nginx的参数列表中添加了“-ingres class=fanhe ingres”。2-此入口纯粹是我的集群内部的，因此利用Kubernetes服务名称和coreDNS来访问它：。。证书包含一个设置为..的SAN字段。。3-dot应符合协议RFC中的规定：当使用Postman处理相同的请求时，此配置工作正常。如何从nginx获得更多信息，解释它在HTTP请求中到底不喜欢什么？Ingress设计用于将外部连接路由到集群，为什么需要使用Ingress在集群内部路由请求？通常服务用于内部路由。我使用其他入口从外部路由到EJBCA的连接（GUI访问，SCEP）。当EJBCA以这种代理模式部署时，它将只公开HTTP服务器，但我的内部EST-RA只提供HTTPS，因此我需要在两者之间保持一个入口。