主页 / user-1062537

appcoder's questions

Martin Hope
appcoder
Asked: 2024-04-27 12:40:07 +0800 CST
  • 7

我已设置具有站点到站点 VPN 连接的 Azure VPN 网关,并且 VPN 连接的状态为“已连接”。我还在 VPN 网关的同一虚拟网络中创建了 AKS 群集和 Azure VM。现在,当我尝试从 Azure VM 或 Azure VPN 网关连接远程网络站点上的远程 IP 地址时,它不起作用。对目标 IP(经过 NAT 处理的 IP 地址)的 Ping 或 Tracert 也不起作用。有什么想法可能是问题出在哪里吗?

netsh 路由的输出

Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
-------  --------  ---  ------------------------  ---  ------------------------
No       Manual    0    0.0.0.0/0                  13  10.0.2.1
No       System    256  10.0.2.0/23                13  Ethernet
No       System    256  10.0.3.75/32               13  Ethernet
No       System    256  10.0.3.255/32              13  Ethernet
No       System    256  127.0.0.0/8                 1  Loopback Pseudo-Interface 1
No       System    256  127.0.0.1/32                1  Loopback Pseudo-Interface 1
No       System    256  127.255.255.255/32          1  Loopback Pseudo-Interface 1
No       Manual    1    168.63.129.16/32           13  10.0.2.1
No       Manual    1    169.254.169.254/32         13  10.0.2.1
No       System    256  224.0.0.0/4                 1  Loopback Pseudo-Interface 1
No       System    256  224.0.0.0/4                13  Ethernet
No       System    256  255.255.255.255/32          1  Loopback Pseudo-Interface 1
No       System    256  255.255.255.255/32         13  Ethernet
site-to-site-vpn
Martin Hope
appcoder
Asked: 2023-11-23 10:01:25 +0800 CST
  • 6

我已设置 cert-manager 来与私有 ca 颁发者签署证书。私有 CA 机密已正确设置,在添加到 TLS 机密之前,我已使用 OpenSSL 验证命令验证了链,并且它们都正确验证了根。但是,当使用 cert-manager 执行相同操作时,证书未签名,并且出现错误“消息:证书请求无法完成,将重试:签名证书错误:证书链格式错误或损坏”

这是证书颁发者的 yaml

   apiVersion: cert-manager.io/v1
   kind: ClusterIssuer
   metadata:
    name: my-ca-issuer
    namespace: default
   spec:
   ca:
      secretName: my-tls-secret
   ---
   apiVersion: cert-manager.io/v1
   kind: Certificate
   metadata:
     name: cert-test
     namespace: default
   spec:
     secretName: my-tls-secret
   issuerRef:
     name: my-ca-issuer
     kind: ClusterIssuer
   commonName: cert-test.com
   renewBefore: 12h # Renew the certificate when it's 12 hours from expiration

my-tls-secret 位于 cert-manager 命名空间中

ca 发行人验证正确

  kubectl get clusterissuers -o wide
NAME                        READY   STATUS                AGE
my-ca-issuer            True    Signing CA verified   27h

my-tls 秘密是使用此命令创建的

 kubectl create secret generic my-tls-secret --from-file=tls.crt=cert-chain.pem --from-file=tls.key=myca.key --from-file=ca.crt=ca-chain.pem -n cert-manager

关于为什么 cert-manager 链格式错误而 openssl verify 链没有任何问题的任何线索

openssl crl2pkcs7 -nocrl -certfile ca-chain.pem | openssl pkcs7 -print_certs -noout

subject=C = US, ST = TX, L = Austin, O = org, CN = app-TLS-Sub-CA
issuer=C = US, ST = TX, L = Austin, O = org, CN = Issuing-Sub-CA

subject=C = US, ST = TX, L = Austin, O = org, CN = Issuing-Sub-CA
issuer=C = US, ST = TX, L = Austin, O = org, CN = Root

subject=C = US, ST = TX, L = Austin, O = org, CN = Root
issuer=C = US, ST = TX, L = Austin, O = org, CN = Root
kubernetes