Keep loading the Ingress Controller Fake Certificate



Cluster Information

Kubernetes version: 1.11.9
Cloud being used: AKS
Client Version: v1.12.2
Server Version: v1.11.9


For secure ingress with TLS certificate, we have referred to below document to create kubernetes secret (TLS).

We are confirmed that our certificate is valid, and it has been running without issue for over few months.

At the middle of April, we didn’t have any changes on kubernetes, but it keep load the Ingress Controller Fake Certificate instead of our certificate, this cause we couldn’t access to all services from all namespaces in AKS thought Ingress.

We have to first remove all ingress component by kubectl delete -f IngressProvisionYAML, then re-provision ingress, finally the services resumed. (We didn’t re-create the TLS secret, still leverage the same one)

Would anyone have idea why this is happended and the way to prevent?

Ingress YAML

apiVersion: extensions/v1beta1
kind: Ingress
  name: deatest
  namespace: deatest
  annotations: nginx / "false" "false" "false"
  - hosts:
    secretName: ingress-companydomain-tls
  - host:
      - path: /deatraining
          serviceName: deatraining
          servicePort: 80
      - path: /deatraining06 
          serviceName: deatraining06
          servicePort: 80
      - path: /dotnetwebapi 
          serviceName: dotnetapi-service
          servicePort: 80

Error Log

For the ingress controller log, we found there are 2 related error.

E0414 08:02:15.231803 7 leaderelection.go:252] error retrieving resource lock kube-system/ingress-controller-leader-nginx: configmaps “ingress-controller-leader-nginx” is forbidden: User “system:serviceaccount:kube-system:ingress-service-account” cannot get configmaps in the namespace “kube-system”

E0414 08:02:25.312695 7 backend_ssl.go:161] Error generating CA certificate chain for Secret “deatest/ingress-api-companydomain-com-hk-tls”: Invalid certificate.


Use companydomain instead of our actual company domain for above YAML and Log

Thanks all.