Kubernetes Ingress not working with https/ssl

Question

I installed Kubernetes NGINX Ingress in kubernetes cluster

I deployed everything on AWS EC2 Instance and Classic Load balancer is in front to Ingress controller. I am able to access the service with http port but not able to access it with https.

I have a valid domain purchase from godaddy and i got AWS SSL certificate from Certificate Manager

Load balancer listeners are configured as below.

I modified the Ingress NGINX Service (added certificate ARN)

kind: Service
apiVersion: v1
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  annotations:
    # Enable PROXY protocol
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
    # Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default,
    # NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be
    # increased to '3600' to avoid any potential issues.
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-2:297483230626:certificate/ffe5a2b3-ceff-4ef2-bf13-8da5b4212121"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http

spec:
  type: LoadBalancer
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
    - name: https
      port: 443
      protocol: TCP
      targetPort: https

Ingress rules

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: practice-ingress
  namespace: practice
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  rules:
  - host: kdhut.com
    http:
      paths:
      - backend:
          serviceName: customer-service
          servicePort: 9090
        path: /customer
      - backend:
          serviceName: prac-service
          servicePort: 8000
        path: /prac

I am able to access the service in http but https is not working.

i tried curl

curl -v https://kdhut.com -H 'Host: kdhut.com'

* Rebuilt URL to: https://kdhut.com/
*   Trying 3.12.176.17...
* TCP_NODELAY set
* Connected to kdhut.com (3.12.176.17) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=kdhut.com
*  start date: Mar 20 00:00:00 2020 GMT
*  expire date: Apr 20 12:00:00 2021 GMT
*  subjectAltName: host "kdhut.com" matched cert's "kdhut.com"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: kdhut.com
> User-Agent: curl/7.58.0
> Accept: */*

Answer 1

I think thats an issue with the AWS load balancer. I ran into something awhile back with a AWS NLB and found this link for a 'workaround/hack':

Workaround

HTH