Ingress controller TLS with wildcard certificate #242
Comments
|
May be dup of #195 |
|
Mh, I don't think it's a duplicate because I am using it as a default certificate with: What exactly is |
|
@janhommes What's the structure of your cert? Can you post the X509 PEM (only the public key) somewhere, so I can take a deeper look? Thanks! |
|
the structure is the following: I tested it with traefik-ingress-controller and there it is working. |
|
@janhommes it seems to be something with EC (elliptic curves) certificates (i guess, not sure). What's the version of ingress controller you've used? Maybe this was compiled with go 1.6. Need to check if compiling with go 1.7 solves the problem. |
|
@rikatz I used |
|
@janhommes I've created a nginx ingress controller based on 0.9.0-beta.1, but compiled with go1.7.4 Can you test this, and check if the problem persists? The image is rpkatz/nginx-ingress-controller-go17:0.9.0-beta1 |
|
@rikatz sorry, problem still exist. Interesting is that it shows the above error for every certificate in my cluster, even when I don't use it in an ingress. |
|
@janhommes reading here some other issues in other software, a question: Is your private key encrypted (requesting password)? |
|
@janhommes I could reproduce this here with a simple program trying to Parse X509 certificate, but with the key BEFORE the cert. Don't know if this still happens on a valid kubernetes program, so I'll keep looking at this trying to reproduce and see if this is a problem with encrypted private key or with the certificate concatenation order. |
|
@rikatz My private key is not encrypted. It's just a plain textfile in the format above. So you mean I can get around this problem by changing the order of the key and certificate in the file? I switched to taerefik and there the cert is working. But I prefer to use the nginx controller. |
|
I'm verifying this and will answer asap
Ricardo P. Katz
… Em 1 de mar de 2017, às 05:32, Jan Hommes ***@***.***> escreveu:
@rikatz My private key is not encrypted. It's just a plain textfile in the format above. So you mean I can get around this problem by changing the order of the key and certificate in the file?
I switched to taerefik and there the cert is working. But I prefer to use the nginx controller.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
@janhommes I've verified in your post earlier and yes, it's probably because RSA Key is appearing before the certs. Just to know, how are you creating the TLS secret for the ingress controller? According to ingress code, the cert is always written BEFORE the key, as the following: https://github.com/kubernetes/ingress/blob/master/core/pkg/net/ssl/ssl.go#L46 and then https://github.com/kubernetes/ingress/blob/master/core/pkg/net/ssl/ssl.go#L54 It's strange that the certificate inside the ingress contains the key before the cert :) I'll wait for your answer before commiting a new code like the following, as it seems the secret is not being created correctly :) pemBlock, restBlock := pem.Decode(pemCerts)
if pemBlock == nil {
return nil, fmt.Errorf("No valid PEM formatted block found")
}
for pemBlock.Type != "CERTIFICATE" {
pemBlock, restBlock = pem.Decode(restBlock)
}Thanks! |
|
@rikatz Now its working! Thanks. I was using a .crt with a private key included (as shown here). My tls.crt was looking like this: And my tls.key: I removed the RSA PRIVATE KEY part in the tls.crt and now the ingress controller is working. I used this command to create it: Maybe it is just because I missunderstand the whole .crt, .pem, .key stuff. But for example nginx support this format, maybe the ingress controller should be flexible enougth to support this format. Thanks for you help! |
|
@janhommes Glad to hear this :) here is an example of the creation of this certs also. As NGINX supports this format (actually, the final file created in the ingress-controller container is a concatenation of cert and key file), it's necessary to make sure ingress is universal. Anyway, I think it's a good idea to verify if the generated file starts with the 'BEGIN CERTIFICATE' and give user a warning if it doesn't find what is expected, instead of issuing a generic Go error. Will open a PR to make at least this verification. |
|
@janhommes @aledbf I think this one can be closed :) |
|
@janhommes Please reopen if you still have issues |
|
@rikatz your a rock star! |
I try to add a wildcard certificate as the default tls certificate but I getting the following error message:
The same message I get if I use it only on a ingress rule but not if I use a self-signed cert. This certificate works in another nginx installation. Is this a bug or is my cert misconfigured?
The text was updated successfully, but these errors were encountered: