Kubernetes: Use .crt and .key in Ingress

記錄如何在 Kubernetes 中使用 GoDaddy 申請的 .crt .keys,以及使用 curl, openssl 檢查 certificate。

本篇文章會用到的 resources:

  • Nginx Ingress Controller: 才能夠使用 Ingress
    kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
    kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
  • Deployment,Service,Ingress: 可以參考 https://github.com/RammusXu/toolkit/tree/master/k8s/ingress
    kubectl apply -k .
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      name: demo-ingress
      annotations:
        kubernetes.io/ingress.class: nginx
    spec:
      tls:
      - secretName: rammus-tls
      rules:
      - http:
          paths:
          - path: /
            backend:
              serviceName: helloweb-service
              servicePort: 8080
        host: rammus.tw

當你從 GoDaddy 拿到 certificate,應該會有這些檔案:

  • xxxx.crt: 你申請的 domain 的 cert
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  • xxxx.pem: 跟 xxxx.crt 一樣的東西
  • gd_bundle-g2-g1.crt: GoDaddy 的 Intermediate cert
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

  • xxxx.key: 和 xxxx.crt 一對的私鑰
    -----BEGIN PRIVATE KEY-----
    ...
    -----END PRIVATE KEY-----

接下來只要將 Intermediate cert 接在 domain cert 後面,產生 chain.crt,並匯入 kubernetes 的 Secret。

cat xxxx.crt gd_bundle-g2-g1.crt > chain.crt
kubectl create secret tls --cert chain.crt --key xxxx.key rammus-tls

測試 Certificate 是否正確



在 Localhost 測試的話,要先在 /etc/hosts 加入你的 domain:

127.0.0.1 rammus.tw

可以使用 curl 或是 openssl 確認 certificate


curl -kv https://localhost/ -H 'Host: rammus.tw'
👍
curl -kv https://rammus.tw


openssl s_client -showcerts -connect rammus.tw:443 
👍
openssl s_client -showcerts -connect rammus.tw:443 -servername rammus.tw

有沒有使用加入 Intermediate cert 的差異

使用上面的 openssl command:

➜ openssl s_client -showcerts -connect rammus.tw:443 -servername rammus.tw
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = rammus.tw
verify return:1

➜ openssl s_client -showcerts -connect rammus.tw:443 -servername rammus.tw
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, CN = rammus.tw
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = rammus.tw
verify error:num=21:unable to verify the first certificate
verify return:1