Keep loading the Ingress Controller Fake Certificate

ichiche · April 26, 2019, 4:28am

Hi,

Cluster Information

Kubernetes version: 1.11.9
Cloud being used: AKS
Client Version: v1.12.2
Server Version: v1.11.9

Background

For secure ingress with TLS certificate, we have referred to below document to create kubernetes secret (TLS).

https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
https://kubernetes.github.io/ingress-nginx/user-guide/tls/

We are confirmed that our certificate is valid, and it has been running without issue for over few months.

At the middle of April, we didn’t have any changes on kubernetes, but it keep load the Ingress Controller Fake Certificate instead of our certificate, this cause we couldn’t access to all services from all namespaces in AKS thought Ingress.

We have to first remove all ingress component by kubectl delete -f IngressProvisionYAML, then re-provision ingress, finally the services resumed. (We didn’t re-create the TLS secret, still leverage the same one)

Would anyone have idea why this is happended and the way to prevent?

Ingress YAML

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: deatest
  namespace: deatest
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/ssl-passthrough: "false"
spec:
  tls:
  - hosts:
    - ingress201.api.companydomain.com.hk
    secretName: ingress-companydomain-tls
  rules:
  - host: ingress201.api.companydomain.com.hk
    http:
      paths:
      - path: /deatraining
        backend: 
          serviceName: deatraining
          servicePort: 80
      - path: /deatraining06 
        backend: 
          serviceName: deatraining06
          servicePort: 80
      - path: /dotnetwebapi 
        backend: 
          serviceName: dotnetapi-service
          servicePort: 80

Error Log

For the ingress controller log, we found there are 2 related error.

E0414 08:02:15.231803 7 leaderelection.go:252] error retrieving resource lock kube-system/ingress-controller-leader-nginx: configmaps “ingress-controller-leader-nginx” is forbidden: User “system:serviceaccount:kube-system:ingress-service-account” cannot get configmaps in the namespace “kube-system”

E0414 08:02:25.312695 7 backend_ssl.go:161] Error generating CA certificate chain for Secret “deatest/ingress-api-companydomain-com-hk-tls”: Invalid certificate.

Remark

Use companydomain instead of our actual company domain for above YAML and Log

Thanks all.

Topic		Replies	Views
Nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" is not working General Discussions	5	3920	June 6, 2021
Kubernetes - ingress contoller question General Discussions	0	351	January 24, 2023
Your connection is not private(Kubernetes Ingress Controller Fake Certificate) General Discussions development , network , kubernetes-custom-resources	0	432	March 5, 2024
Ingress-Nginx SSL Alert Number 70 General Discussions	2	500	January 29, 2024
Disable TLS 1.0 and 1.1 in Kubernetes Ingress General Discussions	2	5644	June 1, 2020