Ssl 使用通配符出口与自定义CA进行TLS握手_Ssl_Kubernetes_Istio

Ssl 使用通配符出口与自定义CA进行TLS握手

ssl kubernetes

Ssl 使用通配符出口与自定义CA进行TLS握手,ssl,kubernetes,istio,Ssl,Kubernetes,Istio,我正在尝试在AKS（v1.16.13）上设置istio（v1.7.3），以便对于我域内的所有HTTPS请求，TLS握手由出口网关透明地执行我最终得到了这样的结果（abc.mydomain.com是一个外部URL，所以我为它创建了一个ServiceEntry）：我已在出口网关中挂载了我的证书，并通过以下方式进行验证：kubectl exec-n istio system“$（kubectl-n istio system get pods-l istio=egressgateway-o json

我正在尝试在AKS（v1.16.13）上设置istio（v1.7.3），以便对于我域内的所有HTTPS请求，TLS握手由出口网关透明地执行

我最终得到了这样的结果（abc.mydomain.com是一个外部URL，所以我为它创建了一个ServiceEntry）：

我已在出口网关中挂载了我的证书，并通过以下方式进行验证：

kubectl exec-n istio system“$（kubectl-n istio system get pods-l istio=egressgateway-o jsonpath='{.items[0].metadata.name}'）”–ls-al/etc/istio/mydomain ca certs

当调用

curl-vvI时，我得到以下信息https://abc.mydomain.com

从另一个命名空间中运行的一个POD：

curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to abc.mydomain.com:443

我也尝试过这里所描述的（信任出口网关上的自定义根CA），但我得到的错误如上所述

知道我做错了什么吗

更新1

以下是istioctl代理状态的输出（出口rds已过时）：

curl-vvI的输出https://abc.mydomain.com

：

* Expire in 0 ms for 1 (transfer 0x55ce54104f50)
*   Trying 10.223.24.254...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55ce54104f50)
* Connected to abc.mydomain.com (10.223.24.254) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to abc.mydomain.com:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to abc.mydomain.com:443

openssl s_客户端的输出-connect abc.mydomain.com:443

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 328 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

curl-vvI

或

openssl

中有任何有用的信息吗？您的服务是否正确？我看你试过了，但是你看到这个了吗？您是否可以尝试在目标规则中添加前面提到的

exportTo:'。

？有关详细输出，请参阅UPDATE1。Jakub-在DestinationRule中添加

exportTo:['.]

后，curl和opennsl的输出没有任何变化。

* Expire in 0 ms for 1 (transfer 0x55ce54104f50)
*   Trying 10.223.24.254...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55ce54104f50)
* Connected to abc.mydomain.com (10.223.24.254) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to abc.mydomain.com:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to abc.mydomain.com:443

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 328 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---