Knative & cert-manager - SSL_ERROR_SYSCALL答案

【问题标题】：Knative & cert-manager - SSL_ERROR_SYSCALLKnative & cert-manager - SSL_ERROR_SYSCALL
【发布时间】：2021-05-22 18:14:06
【问题描述】：

kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.0", GitCommit:"cb303e613a121a29364f75cc67d3d580833a7479", GitTreeState:"clean", BuildDate:"2021-04-08T21:16:14Z", GoVersion:"go1.16.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.1", GitCommit:"5e58841cce77d4bc13713ad2b91fa0d961e69192", GitTreeState:"clean", BuildDate:"2021-05-12T14:12:29Z", GoVersion:"go1.16.4", Compiler:"gc", Platform:"linux/amd64"}

在 Ubuntu 20.04 上运行

已安装： https://knative.dev/docs/install/install-serving-with-yaml/

尝试了所有网络层 - 这个是使用 kourier 和 cert-manager 运行的

我安装了“networking-ns-cert”并使用了 DNS01 - 基本上如下： https://knative.dev/docs/install/install-serving-with-yaml/

我确实创建了我的证书，我可以 curl -H "app..mydomain.dev" http(not https)

get kcert --all-namespaces                                                                                                                     
NAMESPACE         NAME                        READY   REASON
cert-manager      cert-manager.mydomain.dev      True    
default           default.mydomain.dev           True    
knative-serving   knative-serving.mydomin.dev   True    
kourier-system    kourier-system.mydomain.dev    True    
kube-node-lease   kube-node-lease.mydomain.dev   True    
kube-public       kube-public.mydomain.dev       True    
kube-system       kube-system.mydomain.dev       True    
test              test.mydomain.dev              True

kubectl get svc -n kourier-system
NAME               TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
kourier            NodePort    10.96.38.63      <none>        80:30789/TCP,443:30670/TCP   31h
kourier-internal   ClusterIP   10.101.145.191   <none>        80/TCP                       31h

openssl s_client -connect mydomain.dev:443
CONNECTED(00000005)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Start Time: 1621705659
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

curl -H "Host: helloworld-go.default.mydomain.dev" http://mydomain.dev
Hello Hello Knative Serving is up and running with Kourier!!!

curl -iv -H "Host: helloworld-go.default.mydomain.dev" https://mydomain.dev                                                                      
*   Trying <ip address>...
* TCP_NODELAY set
* Connected to mydomain.dev (<ip address>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to mydomain.dev:443 
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to mydomain.dev:443 ```

【问题讨论】：

标签： cert-manager knative knative-serving

【解决方案1】：

我注意到您正在连接到https://mydomain.dev，但传递了不同域的主机标头。我的猜测是 curl 正在发送一个 SNI 请求以获取 mydomain.dev 证书；由于networking-ns-cert 将获取*.<namespace>.my domain.dev 的通配符证书，因此服务器可能没有与SNI 请求匹配的证书，并关闭TCP 连接。

尝试使用curl 的-kvv 选项（而不是-v）来打印更详细的调试信息并绕过一些SSL 错误。由于您设置了 DNS 和证书，我会尝试：

curl -kvv https://helloworld-go.default.mydomain.dev

【讨论】：