本文介绍了无法连接到代理“由未知授权机构签名的证书"的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试通过Kubernetes部署上的cloudsql-proxy容器连接到CloudSQL实例.我已安装了cloudsql凭据,并设置了GOOGLE_APPLICATION_CREDENTIALS的值.

I'm attempting to connect to a CloudSQL instance via a cloudsql-proxy container on my Kubernetes deployment. I have the cloudsql credentials mounted and the value of GOOGLE_APPLICATION_CREDENTIALS set.

但是,我仍然在日志中收到以下错误:

However, I'm still receiving the following error in my logs:

2018/10/08 20:07:28 Failed to connect to database: Post https://www.googleapis.com/sql/v1beta4/projects/[projectID]/instances/[appName]/createEphemeral?alt=json&prettyPrint=false: oauth2: cannot fetch token: Post https://oauth2.googleapis.com/token: x509: certificate signed by unknown authority

我的连接字符串如下:

[dbUser]:[dbPassword]@cloudsql([instanceName])/[dbName]]?charset=utf8&parseTime=True&loc=Local

并且代理拨号器被影子导入为:

And the proxy dialer is shadow-imported as:

_ github.com/GoogleCloudPlatform/cloudsql-proxy/proxy/dialers/mysql

任何人都知道可能缺少什么?

Anyone have an idea what might be missing?

Deployment Spec看起来像这样(JSON格式):

Deployment Spec looks something like this (JSON formatted):

{
  "replicas": 1,
  "selector": {
    ...
  },
  "template": {
    ...
    "spec": {
      "containers": [
        {
          "image": "[app-docker-imager]",
          "name": "...",
          "env": [
            ...
            {
              "name": "MYSQL_PASSWORD",
              ...
            },
            {
              "name": "MYSQL_USER",
              ...
            },
            {
              "name": "GOOGLE_APPLICATION_CREDENTIALS",
              "value": "..."
            }
          ],

          "ports": [
            {
              "containerPort": 8080,
              "protocol": "TCP"
            }
          ],
          "volumeMounts": [
            {
              "mountPath": "/secrets/cloudsql",
              "name": "[secrets-mount-name]",
              "readOnly": true
            }
          ]
        },
        {
          "command": [
            "/cloud_sql_proxy",
            "-instances=...",
            "-credential_file=..."
          ],
          "image": "gcr.io/cloudsql-docker/gce-proxy:1.11",
          "name": "...",
          "ports": [
            {
              "containerPort": 3306,
              "protocol": "TCP"
            }
          ],
          "volumeMounts": [
            {
              "mountPath": "/secrets/cloudsql",
              "name": "[secrets-mount-name]",
              "readOnly": true
            }
          ]
        }
      ],
      "volumes": [
        {
          "name": "[secrets-mount-name]",
          "secret": {
            "defaultMode": 420,
            "secretName": "[secrets-mount-name]"
          }
        }
      ]
    }
  }
}

推荐答案

错误消息表明您的客户端无法信任 https://www.googleapis.com .可能有两个原因:

The error message indicates that your client is not able to trust the certificate of https://www.googleapis.com. There are two possible causes for this:

  1. 您的客户端不知道要信任的根证书.正式的 cloudsql-proxy docker映像包含根证书,因此,如果您正在使用该图像,这不是您的问题.如果您不使用该映像,则应该(或至少在映像中安装ca证书).

  1. Your client does not know what root certificates to trust. The official cloudsql-proxy docker image includes root certificates, so if you are using that image, this is not your problem. If you are not using that image, you should (or at least install ca certificates in your image).

您的出站流量被使用不同,不受信任的证书的代理服务器拦截.这可能是恶意的(在这种情况下,您需要调查谁在拦截您的流量).更为温和的是,您可能在组织中,该组织使用出站代理根据策略检查流量.在这种情况下,您应该构建一个新的Docker映像,其中应包含组织的出站代理使用的CA证书.

Your outbound traffic is being intercepted by a proxy server that is using a different, untrusted, certificate. This might be malicious (in which case you need to investigate who is intercepting your traffic). More benignly, you might be in a organization using an outbound proxy to inspect traffic according to policy. If this is the case, you should build a new docker image that includes the CA certificate used by your organization's outbound proxy.

这篇关于无法连接到代理“由未知授权机构签名的证书"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-01 21:03