Charts: [stable/kubernetes-dashboard] TLS handshake error: first record does not look like a TLS handshake

Created on 16 Mar 2018  路  6Comments  路  Source: helm/charts

Is this a request for help?: Yes, as the chart is not working as expected.

Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT

Version of Helm and Kubernetes: helm version is 2.8.1 and kubernetes version is 1.8.6

Which chart: kubernetes-dashboard

What happened:
I have installed kubernetes-dashboard using helm. The command used was

helm install --name kubernetes-dashboard stable/kubernetes-dashboard --namespace kube-system --set rbac.create=false --set ingress.enabled=true

But then when am accessing it using the ingress hostname its giving and SSL related error. As per pod logs

2018/03/16 14:58:41 http: TLS handshake error from 100.96.3.7:56916: tls: first record does not look like a TLS handshake

The ingress looks like

metadata:
  annotations:
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/sign_in
    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
  creationTimestamp: 2018-03-16T14:16:48Z
  generation: 3
  labels:
    app: kubernetes-dashboard
    chart: kubernetes-dashboard-0.6.1
    heritage: Tiller
    release: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
  resourceVersion: "4072579"
  selfLink: /apis/extensions/v1beta1/namespaces/kube-system/ingresses/kubernetes-dashboard
  uid: aa54f4f0-2924-11e8-aedc-0a717f21e61e
spec:
  rules:
  - host: dashboard.atkubernetes-lab.com
    http:
      paths:
      - backend:
          serviceName: kubernetes-dashboard
          servicePort: 443
        path: /
  tls:
  - hosts:
    - dashboard.atkubernetes-lab.com
    secretName: dashboard-tls

I am able to access the dashboard via API and token, but just the via the ingress resource it's not and ending up in error as I mentioned above.

What you expected to happen:
I am expecting to have the dashboard rendering properly when access via https://dashboard.atkubernetes-lab.com.

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know:
It could be a config issue on my side, but any insights would be of great help. I am using kubernetes-dashboard on few of my other clusters, which are installed using helm. But they are not on the latest version, in the sense its using the image before 443 port was enforced.

Thanks

picture r-divakaran-hrs
👍6

Most helpful comment

To anyone passing by this issue since v0.21.0
nginx.ingress.kubernetes.io/secure-backends: "true"

has become:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

picture johnraz on 18 Dec 2018
👍344 🚀2 😄2 👀1

All 6 comments

The problem is that ingress is redirecting to HTTP while dashboard by default is expecting HTTPS , so you should add this to your ingress annotations
nginx.ingress.kubernetes.io/secure-backends: "true"

shahbour picture shahbour on 21 Mar 2018
👍146 🎉5 🚀2

It is currently not possible to set this configuration via the CLI. Helm converts "true" to boolean. With future helm 2.9.0 release one will be able to force this configuration as string using the "--set-string" option.

For example:
helm install stable/kubernetes-dashboard --set-string ingress.annotations."nginx\.ingress\.kubernetes\.io/secure-backends"="true"

Until then I suggest adding the 'secure-backends' as a default value within the charts values.yaml file. At the moment the README states that "kubernetes.io/ingress.class: nginx" is already a default setting. Therefor adding the secure-backends should not be too prescriptive either. One is also still required to set ingress.enabled=true.

Will create a PR for this shortly.

MnrGreg picture MnrGreg on 9 Apr 2018

your answer help me a lot!
thank you !!! @shahbour

wzt3309 picture wzt3309 on 18 Jul 2018

To anyone passing by this issue since v0.21.0
nginx.ingress.kubernetes.io/secure-backends: "true"

has become:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

johnraz picture johnraz on 18 Dec 2018
👍344 🚀2 😄2 👀1

I have invest almost 1 day to debug this error. Now it got fixed after adding nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" in below ingress annotations.

annotations:
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/secure-backends: "true"
kubernetes.io/ingress.class: "nginx-office"
certmanager.k8s.io/cluster-issuer: letsencrypt-production
certmanager.k8s.io/acme-challenge-type: dns01
certmanager.k8s.io/acme-dns01-provider: prod-dns
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# ingress.kubernetes.io/force-ssl-redirect: 'true'
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/use-port-in-redirects: "true"

@johnraz Thanks Bro

kadian2010 picture kadian2010 on 11 Feb 2019
🎉2

We just ran into this .. and had to set the following additional annotations to get it working:

nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

Without force-ssl-redirect, we were seeing the same issues

madAndroid picture madAndroid on 29 May 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mickengland picture mickengland  路  3Comments
kminehart picture kminehart  路  3Comments
harshmehta93 picture harshmehta93  路  3Comments
tklovett picture tklovett  路  3Comments
onyxet picture onyxet  路  3Comments