Kubernetes Ingress SSL 证书问题

Question

I am having a problem with my TLS. I have my TLS secret created:

kubectl create secret tls ingress-tls  --key certificate.key  --cert certificate.crt

And I use it in my ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: "beta"
spec:
  tls:
  - hosts:
    - '*.host.com'
    - 'beta.host.com'
    secretName: ingress-tls
  backend:
    serviceName: nginx
    servicePort: 443

The ingress is created perfectly, I access through a browser and no problem, the problem comes when I do a curl or using the program postman, I get certificate error.

curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

I'm using the GCE driver, it's the default GKE from google cloud.

I've been reading how to add the ca key, but this error is not fixed.

I did the following:

kubectl create secret generic ca --from-file certificate.ca.crt

And I added the following annotation to the ingress:

ingress.kubernetes.io/auth-tls-secret: ca

But is not working.

Does anyone know how to fix the CA certificate? The certificate is purchased on the DonDominio website and it's a Wildcard.

Answer 1

The problem was basically that I was using the .crt instead of the .pem when I generated the TLS secret. By changing the secret I got curl to detect it as a valid certificate.

New command:

kubectl create secret tls ingress-tls --key certificate.key --cert certificate.pem 

Thanks to @Michael-sqlbot!

Answer 2

If you have .ca-bundle + crt file, append .ca-bundle into the end of .crt and create secret from the new crt file will resolve this issue. This is because you need all the immediate keys for your ingress.