# 错误：tls：第一个记录看起来不像 TLS 握手

- **ID:** `kubernetes/ingress-ssl-certificate-mismatch`
- **领域:** kubernetes
- **类别:** network_error
- **验证级别:** ai_generated
- **修复率:** 78%

## 根因

Ingress TLS 配置指向包含非 TLS 数据（例如纯文本或错误格式）的 secret，或证书无效。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| nginx-ingress-controller v1.10 | active | — | — |
| nginx-ingress-controller v1.11 | active | — | — |
| Kubernetes v1.28 | active | — | — |

## 解决方案

1. ```
   Verify secret content: `kubectl get secret <tls-secret> -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -text -noout`. Ensure it contains a valid PEM certificate.
   ```
2. ```
   Recreate secret with correct certificate and key: `kubectl create secret tls <secret-name> --cert=path/to/cert.pem --key=path/to/key.pem` then update Ingress to reference it.
   ```
3. ```
   Check Ingress controller logs: `kubectl logs -n ingress-nginx <controller-pod> | grep 'tls'` to see detailed error, then fix cert chain or secret name.
   ```

## 无效尝试

- **Restart nginx-ingress-controller pod** — Restarting does not fix incorrect secret data; the same invalid cert will be loaded again. (90% 失败率)
- **Change TLS port from 443 to 8443 in Ingress spec** — Port change does not fix the underlying certificate format issue. (95% 失败率)
- **Delete and recreate the Ingress resource** — Recreating Ingress uses same secret reference; problem persists. (85% 失败率)