kubernetes
network_error
ai_generated
true
错误:tls:第一个记录看起来不像 TLS 握手
Error: tls: first record does not look like a TLS handshake
ID: kubernetes/ingress-ssl-certificate-mismatch
78%修复率
83%置信度
1证据数
2024-02-14首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| nginx-ingress-controller v1.10 | active | — | — | — |
| nginx-ingress-controller v1.11 | active | — | — | — |
| Kubernetes v1.28 | active | — | — | — |
根因分析
Ingress TLS 配置指向包含非 TLS 数据(例如纯文本或错误格式)的 secret,或证书无效。
English
Ingress TLS configuration points to a secret that contains non-TLS data (e.g., plain text or wrong format) or the certificate is invalid.
官方文档
https://kubernetes.io/docs/concepts/services-networking/ingress/#tls解决方案
-
Verify secret content: `kubectl get secret <tls-secret> -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -text -noout`. Ensure it contains a valid PEM certificate. -
Recreate secret with correct certificate and key: `kubectl create secret tls <secret-name> --cert=path/to/cert.pem --key=path/to/key.pem` then update Ingress to reference it.
-
Check Ingress controller logs: `kubectl logs -n ingress-nginx <controller-pod> | grep 'tls'` to see detailed error, then fix cert chain or secret name.
无效尝试
常见但无效的做法:
-
Restart nginx-ingress-controller pod
90% 失败
Restarting does not fix incorrect secret data; the same invalid cert will be loaded again.
-
Change TLS port from 443 to 8443 in Ingress spec
95% 失败
Port change does not fix the underlying certificate format issue.
-
Delete and recreate the Ingress resource
85% 失败
Recreating Ingress uses same secret reference; problem persists.