Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable-ssl-chain-completion=false not respected #1977

Closed
magowant opened this issue Jan 25, 2018 · 5 comments · Fixed by #1978
Closed

enable-ssl-chain-completion=false not respected #1977

magowant opened this issue Jan 25, 2018 · 5 comments · Fixed by #1978

Comments

@magowant
Copy link

Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT

NGINX Ingress controller version: 0.10.1

Kubernetes version (use kubectl version): 1.8.3

Environment:

  • Cloud provider or hardware configuration: VSphere
  • OS (e.g. from /etc/os-release): RHEL 7.4
  • Kernel (e.g. uname -a):3.10.0-693.2.2.el7.x86_64
  • Install tools:
  • Others:
    nginx-ingress-controller argument: --enable-ssl-chain-completion=false

What happened:
Upgrading from 0.8.3 to 0.10.1 failed to generate certs for all of our ingress rules, with the following error:

E0125 07:17:42.342892 5 backend_ssl.go:146] unexpected error generating SSL certificate with full intermediate chain CA certs: Get ldap:///***redacted Active Directory DN*** : unsupported protocol scheme "ldap"

Our x509 certs do not include the full cert chain (which I know is not correct, but 0.8.3 handled this gracefully). The certs do contain the following AIA

Authority Information Access [1]:
    Access Method: CA Issuers (1.3.6.1.5.5.7.48.2)
    Access Location:
        URI: ldap:///***redacted Active Directory DN***

It seems that the nginx-ingress-controller is attempting to download the cert from the ldap URL despite --enable-ssl-chain-completion=false.

What you expected to happen:
No attempt should be made to automatically complete the certificate chain, just use the certificate as supplied in the ingress secret.

How to reproduce it (as minimally and precisely as possible):
I can supply a test certificate / key pair on request.

Anything else we need to know:
@magowant magowant changed the title enable-ssl-chain-completion not respected enable-ssl-chain-completion=false not respected Jan 25, 2018
@aledbf
Copy link
Member

aledbf commented Jan 25, 2018

@magowant please use quay.io/aledbf/nginx-ingress-controller:0.321

@aledbf aledbf mentioned this issue Jan 25, 2018
Merged
@swade1987
Copy link

swade1987 commented Jan 25, 2018
edited
Loading

@magowant looks like from what @aledbf is saying the fix is #1978 but was not released in 0.10.1.

@swade1987
Copy link

@magowant i'd go back to using 0.9.0 until this fix is merged into a newer 0.10 release.

@magowant
Copy link
Author

I've tested quay.io/aledbf/nginx-ingress-controller:0.321 and it fixed the issue - thanks

@swade1987
Copy link

@magowant are you going to stick with this quay.io/aledbf/nginx-ingress-controller:0.321 or wait for the official release?

@marcoceppi marcoceppi mentioned this issue May 15, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix chain completion and default certificate flag issues aledbf/ingress-nginx
3 participants
@aledbf @swade1987 @magowant