Kubernetes NGINX Ingress Controller not picking up TLS Certificates

Question

I setup a new kubernetes cluster on GKE using the nginx-ingress controller. TLS is not working, it's using the fake certificates.

There is a lot of configuration detail so I made a repo - https://github.com/jobevers/test_ssl_ingress

In short the steps were

• create a new cluster without GKE's load balancer
• create a tls secret with my key and cert
• create an nginx-ingress deployment / pod
• create an ingress controller

The nginx-ingress config comes from https://zihao.me/post/cheap-out-google-container-engine-load-balancer/ (and looks very similar to a lot of the examples in the ingress-nginx repo).

My ingress.yaml is nearly identical to the example one

When I run curl, I get

$ curl -kv https://35.196.134.52
[...]
*    common name: Kubernetes Ingress Controller Fake Certificate (does not match '35.196.134.52')
[...]
*    issuer: O=Acme Co,CN=Kubernetes Ingress Controller Fake Certificate
[...]

which shows that I'm still using the default certificates.

How am I supposed to get it using mine?

---

Ingress definition

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-ssl-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
    - secretName: tls-secret
  rules:
  - http:
      paths:
      - path: /
        backend:
          serviceName: demo-echo-service
          servicePort: 80

---

Creating the secret :

kubectl create secret tls tls-secret --key tls/privkey.pem --cert tls/fullchain.pem

---

Debugging further, the certificate is being found and exist on the server:

$ kubectl -n kube-system exec -it $(kubectl -n kube-system get pods | grep ingress | head -1 | cut -f 1 -d " ") -- ls -1 /ingress-controller/ssl/
default-fake-certificate-full-chain.pem
default-fake-certificate.pem
default-tls-secret-full-chain.pem
default-tls-secret.pem

And, from the log, I see

kubectl -n kube-system log -f $(kubectl -n kube-system get pods | grep ingress | head -1 | cut -f 1 -d " ")
[...]
I1013 17:21:45.423998       6 queue.go:111] syncing default/test-ssl-ingress
I1013 17:21:45.424009       6 backend_ssl.go:40] starting syncing of secret default/tls-secret
I1013 17:21:45.424135       6 ssl.go:60] Creating temp file /ingress-controller/ssl/default-tls-secret.pem236555242 for Keypair: default-tls-secret.pem
I1013 17:21:45.424946       6 ssl.go:118] parsing ssl certificate extensions
I1013 17:21:45.743635       6 backend_ssl.go:102] found 'tls.crt' and 'tls.key', configuring default/tls-secret as a TLS Secret (CN: [...])
[...]

But, looking at the nginx.conf, its still using the fake certs:

$ kubectl -n kube-system exec -it $(kubectl -n kube-system get pods | grep ingress | head -1 | cut -f 1 -d " ") -- cat /etc/nginx/nginx.conf | grep ssl_cert
        ssl_certificate                         /ingress-controller/ssl/default-fake-certificate.pem;
        ssl_certificate_key                     /ingress-controller/ssl/default-fake-certificate.pem;

Answer 1

Turns out that the ingress definition needs to look like:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-ssl-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
    - hosts:
      - app.example.com
      secretName: tls-secret
  rules:
    - host: app.example.com
      http:
        paths:
        - path: /
          backend:
            serviceName: demo-echo-service
            servicePort: 80

The host entry under rules needs to match one of the hosts entries under tls.

Answer 2

Just faced that issue as well with v0.30.0 and it turns out that having an ingress config like this without explicit hostnames is ok:

spec:
  tls:
    - secretName: ssl-certificate

On my side the problem was that I had a annotation on the ingress with an int64 value that was not parsed correctly and below that was the definiton kubernetes.io/ingress.class so essentially nginx did not find the ingress controller which was stated in the logs correctly:

ignoring add for ingress <ingressname> based on annotation kubernetes.io/ingress.class with value

So using strings in the annotations fixed the problem.

Answer 3

You need to add the ROOT CA Certificate to authorities section in places such as chrome, firefox, the server's certificate pool.

1. Create a directory called /usr/share/ca-certificates/extras
2. Change extension of .pem file to .crt and copy this file to directory you created
3. Run sudo dpkg-reconfigure ca-certificates
4. In window that opens, first press enter, then select the file you added in list that appears with space key and press enter again

Your computer will now automatically recognize other certificates, you have generated with this certificate.