stackoom
  简体   繁体   中英

SSL Certificate added but shows "Kubernetes Ingress controller fake certificate"

 原文  2022-02-15 13:17:39       kubernetes/ ssl/ google-cloud-platform/ google-kubernetes-engine

Question

I am having the following issue. I am new to GCP/Cloud, I have created a cluster in GKE and deployed our application there, installed nginx as a POD in the cluster, our company has a authorized SSL certificate which i have uploaded in Certificates in GCP.

In the DNS Service, i have created an A record which matched the IP of Ingress. When i call the URL in the browser, it still shows that the website is still unsecure with message "Kube.netes Ingress controller fake certificate".

I used the following guide https://cloud.google.com/load-balancing/docs/ssl-certificates/self-managed-certs#console_1

however i am not able to execute step 3 "Associate an SSL certificate with a target proxy", because it asks "URL Maps" and i am not able to find it in the GCP Console.

Has anybody gone through the same issue like me or if anybody helps me out, it would be great.

Thanks and regards,

3 answers

solution1
 1  2022-04-14 21:18:12

I was able to fix this problem by adding an extra argument to the ingress-nginx-controller deployment.

For context: my TLS secret was at the default namespace and was named letsencrypt-secret-prod , so I wanted to add this as the default SSL certificate for the Nginx controller.

My first solution was to edit the deployment.yaml of the Nginx controller and add at the end of the containers[0].args list the following line:

- '--default-ssl-certificate=default/letsencrypt-secret-prod'

Which made that section of the yaml look like this:

      containers:
        - name: controller
          image: >-
            k8s.gcr.io/ingress-nginx/controller:v1.2.0-beta.0@sha256:92115f5062568ebbcd450cd2cf9bffdef8df9fc61e7d5868ba8a7c9d773e0961
          args:
            - /nginx-ingress-controller
            - '--publish-service=$(POD_NAMESPACE)/ingress-nginx-controller'
            - '--election-id=ingress-controller-leader'
            - '--controller-class=k8s.io/ingress-nginx'
            - '--ingress-class=nginx'
            - '--configmap=$(POD_NAMESPACE)/ingress-nginx-controller'
            - '--validating-webhook=:8443'
            - '--validating-webhook-certificate=/usr/local/certificates/cert'
            - '--validating-webhook-key=/usr/local/certificates/key'
            - '--default-ssl-certificate=default/letsencrypt-secret-prod'

But I was using the helm chart: ingress-nginx/ingress-nginx , so I wanted this config to be in the values.yaml file of that chart so that I could upgrade it later if necessary.

So reading the values file I replaced the attribute: controller.extraArgs , which looked like this:

  extraArgs: {}

For this:

  extraArgs:
    default-ssl-certificate: default/letsencrypt-secret-prod

This restarted the deployment with the argument in the correct place.

Now I can use ingresses without specifying the tls.secretName for each of them, which is awesome.

Here's an example ingress that is working for me with HTTPS:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: some-ingress-name
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
  rules:
  - http:
      paths:
      - path: /some-prefix
        pathType: Prefix
        backend:
          service:
            name: some-service-name
            port:
              number: 80

solution2
 0  2022-02-15 13:39:19

You can save your SSL/TLS certificate into the K8s secret and attach it to the ingress .

you need to config the TLS block in ingress, dont forget to add ingress.class details in ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata: 
  name: tls-example-ingress
spec: 
  rules: 
    - host: mydomain.com
      http: 
        paths: 
          - 
            backend: 
              serviceName: my-service
              servicePort: 80
            path: /
  tls: 
    - hosts: 
        - mydomain.com
      secretName: my-tls-secret

You can read more at: https://medium.com/avmconsulting-blog/how-to-secure-applications-on-kubernetes-ssl-tls-certificates-8f7f5751d788

You might be seeing something like this in browser:

在此处输入图像描述

that's from the ingress controller and wrong certificate attached to ingress or ingress controller default fake cert .

solution3
 0  2022-09-29 09:17:30

Also don't forget to check that Subject Alternative Name actually contains the same value the CN contains. If it does not, the certificate is not valid because the industry moves away from CN. Just learned this now

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure App Service Certificate ssl to AKS ingress Setting up aws ssl certificate via kubernetes Getting SSL certificate for AWS EB AKS Istio Ingress gateway Certificate is not valid Ssl certificate on a tcp load balancer? SSL Certificate for Firebase Cloud Functions Using the AWS SSL certificate in JMeter AWS CLI - [SSL : CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1056) SSL certificate problem: unable to get local issuer certificate AZURE DEVOPS AWS MSK SSL Certificate Subject Alternative Name
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM