k8s Ingress 不使用 TLS 证书

Question

I can't get my Ingress to use my TLS cert. I have created a self signed TLS cert using openssl for hostname myapp.com and added myapp.com to /etc/hosts.

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365

I have verified the Ingress is using the TLS cert

$ kubectl describe ingress myapp-ingress
Name:             myapp-ingress
Labels:           app=myapp
                  name=myapp-ingress
Namespace:        default
Address:          $PUBLIC_IP
Ingress Class:    nginx-ingress-class
Default backend:  <default>
TLS:
  nginx-ingress-tls terminates myapp.com
Rules:
  Host        Path  Backends
  ----        ----  --------
  myapp.com
              /   myapp-service:8080 (10.244.0.14:80)
Annotations:  <none>
Events:
  Type    Reason  Age                 From                      Message
  ----    ------  ----                ----                      -------
  Normal  Sync    19m (x11 over 21h)  nginx-ingress-controller  Scheduled for sync

however, when I curl myapp.com, I get an error message informing me no subject name matches target host 'myapp.com'.

$ curl -I https://myapp.com
curl: (60) SSL: no alternative certificate subject name matches target host name 'myapp.com'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I made sure to give openssl myapp.com as the FQDN. I'm not sure why it isn't working. Any help is appreciated.

Edit:

I'm looking at the logs of the ingress controller. I see the following error messages

$ kubectl logs -n nginx-ingress ingress-nginx-controller-7c45d9ff9f-2hcd7 | grep cert
I0618 20:43:32.096653       7 main.go:104] "SSL fake certificate created" file="/etc/ingress-controller/ssl/default-fake-certificate.pem"
I0618 20:43:32.116162       7 ssl.go:531] "loading tls certificate" path="/usr/local/certificates/cert" key="/usr/local/certificates/key"
W0618 20:43:33.246716       7 backend_ssl.go:45] Error obtaining X.509 certificate: unexpected error creating SSL Cert: certificate and private key does not have a matching public key: tls: failed to parse private key
I0618 20:43:33.340807       7 nginx.go:319] "Starting validation webhook" address=":8443" certPath="/usr/local/certificates/cert" keyPath="/usr/local/certificates/key"
W0618 20:43:33.342061       7 controller.go:1334] Error getting SSL certificate "default/nginx-ingress-tls": local SSL certificate default/nginx-ingress-tls was not found. Using default certificate
W0618 20:43:37.149824       7 controller.go:1334] Error getting SSL certificate "default/nginx-ingress-tls": local SSL certificate default/nginx-ingress-tls was not found. Using default certificate
W0618 20:43:41.152972       7 controller.go:1334] Error getting SSL certificate "default/nginx-ingress-tls": local SSL certificate default/nginx-ingress-tls was not found. Using default certificate

Answer 1

When you are using a cert that is not signed by trusted certificates in the installed CA certificate store, you will get the error message:

failed to verify the legitimacy of the server and therefore could not establish a secure connection to it

As a workaround, you can disable the strict certificate checking it with the following command:

curl -k https://myapp.com

You can find more details about it in this link .