最近在开发istio的一个插件,在本地开发环境配置了一个gateway,前两天还能正常调用,但今天在调用时,却出现了下面的错误
[root@myk8s ~]# curl -k -vvvv -H "Authorization:${token}" https://192.168.18.3:9658/api/v1/namespaces
* About to connect() to 192.168.18.3 port 9658 (#0)
* Trying 192.168.18.3...
* Connected to 192.168.18.3 (192.168.18.3) port 9658 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0
curl: (35) TCP connection reset by peer
看起来像本地证书数据库有点问题,因昨天不小心将电脑直接关闭了,起初怀疑是因电脑直接关闭,导致虚拟机中的证书数据库文件损坏,可我找到备份的虚拟机中的相同文件,日期及文件大小都一样,而且日期都是很早的,说明最近的操作跟这个数据文件没什么关系
[root@myk8s ~]# ll /etc/pki/nssdb
total 124
-rw-r--r--. 1 root root 65536 Sep 27 2018 cert8.db
-rw-r--r--. 1 root root 9216 Feb 21 2021 cert9.db
-rw-r--r--. 1 root root 16384 Sep 27 2018 key3.db
-rw-r--r--. 1 root root 11264 Feb 21 2021 key4.db
-rw-r--r--. 1 root root 451 Sep 27 2018 pkcs11.txt
-rw-r--r--. 1 root root 16384 Sep 27 2018 secmod.db
那是什么原因呢,百思不得其解,于是把istio删除掉,重新安装一遍,还是一样的错,我以为是配置了什么过滤器导致出错了,甚至找了一个干净的虚拟机,重新安装,也是同样的错误,看来不是环境的问题,折腾半天,也没有解决思路,我重新梳理了一下配置
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: apiserver-6443-vs
spec:
gateways:
- apiserver-6443-gateway
hosts:
- "*"
tls:
- match:
- port: 443
sniHosts:
- myk8s
route:
- destination:
host: apiserver-6443-extsvc
port:
number: 16443
看到这个地方 sniHosts:
- myk8s
突然想起来这个地方得使用主机名称访问,不能使用主机ip访问
[root@myk8s ~]# curl -k -vvvv -H "Authorization:${token}" https://myk8s:9658/api/v1/namespaces
* About to connect() to myk8s port 9658 (#0)
* Trying 192.168.18.3...
* Connected to myk8s (192.168.18.3) port 9658 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* Server certificate:
* subject: CN=admin
* start date: Mar 02 18:57:51 2022 GMT
* expire date: Feb 06 18:57:51 2122 GMT
* common name: admin
* issuer: CN=192.168.18.3
> GET /api/v1/namespaces HTTP/1.1
> User-Agent: curl/7.29.0
> Host: myk8s:9658
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Audit-Id: f9033ef5-cf3f-41ca-94fe-b8e0ce062a83
< Cache-Control: no-cache, private
< Content-Type: application/json
< Date: Thu, 09 Feb 2023 02:48:29 GMT
< Content-Length: 157
<
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
* Connection #0 to host myk8s left intact
看,正常了,就是这么简单,但在度娘上,搜索NSS error -5961这个错误,多数据是加入证书信任,但从证书数据库中都没更改文件修改日期,说明跟它没关系。
记录解决此过程,也希望遇能给遇到此问题的同学们提供解决问题的思路