Kubernetes入口不使用https/ssl

我在kubernetes集群中安装了入口

我在AWSEC2实例上部署了所有东西，经典的负载平衡器就在Ingress控制器前面。我可以使用http端口访问服务，但无法使用https访问服务

我从godaddy购买了一个有效的域名，并从godaddy获得了AWS SSL证书

负载平衡器侦听器的配置如下所示

我修改了Ingress NGINX服务（添加了证书ARN）

入口规则

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: practice-ingress
  namespace: practice
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  rules:
  - host: kdhut.com
    http:
      paths:
      - backend:
          serviceName: customer-service
          servicePort: 9090
        path: /customer
      - backend:
          serviceName: prac-service
          servicePort: 8000
        path: /prac

我可以访问http中的服务，但https不起作用

我试过卷发

curl -v https://kdhut.com -H 'Host: kdhut.com'

* Rebuilt URL to: https://kdhut.com/
*   Trying 3.12.176.17...
* TCP_NODELAY set
* Connected to kdhut.com (3.12.176.17) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=kdhut.com
*  start date: Mar 20 00:00:00 2020 GMT
*  expire date: Apr 20 12:00:00 2021 GMT
*  subjectAltName: host "kdhut.com" matched cert's "kdhut.com"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: kdhut.com
> User-Agent: curl/7.58.0
> Accept: */*

---

我认为这是AWS负载平衡器的一个问题。我不久前在AWS NLB上遇到了一些东西，找到了一个“变通/破解”链接：

---

HTH

关于我的部署？没什么疯狂的。我当时正在建立一些后台有应用程序的云基础设施，我在“入口”前面和NLB后面使用NGINX。我之所以这样做是因为HA的原因，这使得我可以为HA集群设置几个NGINX实例，并为HA设置几个入口。流量将进入，点击NLB，将其发送到我的“边缘”nginx层，然后将其发送到入口。我不喜欢单一的例子，因为它是单一的失败点。

curl -v https://kdhut.com -H 'Host: kdhut.com'

* Rebuilt URL to: https://kdhut.com/
*   Trying 3.12.176.17...
* TCP_NODELAY set
* Connected to kdhut.com (3.12.176.17) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=kdhut.com
*  start date: Mar 20 00:00:00 2020 GMT
*  expire date: Apr 20 12:00:00 2021 GMT
*  subjectAltName: host "kdhut.com" matched cert's "kdhut.com"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: kdhut.com
> User-Agent: curl/7.58.0
> Accept: */*