Ingress-nginx: Error obtaining PEM from secret
Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):
No
What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):
PEM, Ca, cert
Is this a BUG REPORT or FEATURE REQUEST? (choose one):
BUG REPORT
NGINX Ingress controller version: 0.9
Kubernetes version (use kubectl version): version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.5", GitCommit:"cce11c6a185279d037023e02ac5249e14daa22bf", GitTreeState:"clean", BuildDate:"2017-12-07T16:16:03Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Environment:
- Cloud provider or hardware configuration:
- OS (e.g. from /etc/os-release): Ubuntu Server 16.04
- Kernel (e.g.
uname -a) :4.4.0-103-generic #126-Ubuntu SMP x86_64 x86_64 x86_64 GNU/Linux - Install tools:
- Others:
What happened:
I created a certificat : openssl genrsa -out dashboard.key 2048 and openssl req -x509 -new -nodes -key dashboard.key -subj "/CN=<myhostname>" -days 3650 -out dashboard.crt
I create a secret kubectl create secret generic tls kubernetes-dashboard-certs --cert=/path/to/dashboard.crt --key=/path/to/dashboard.key --namespace kube-system
I can see the crt and key values into the secret.
I deploy nginx-ingress-controller from https://github.com/kubernetes/ingress-nginx/tree/master/deploy with rbac.
All pods are running.
I created an Ingress resources :
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: dashboard
namespace: kube-system
spec:
tls:
- hosts:
secretName: kubernetes-dashboard-certs
rules:
- host:
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 80
- path: /
I can not reach dashboard from my hostname
The logs from nginx-ingress-controller:
backend_ssl.go:44] error obtaining PEM from secret kube-system/kubernetes-dashboard-certs: no keypair or CA cert could be found in kube-system/kubernetes-dashboard-certs
What you expected to happen:
I would like to acces dashboard from my hosname
How to reproduce it (as minimally and precisely as possible):
install kubernetes dashboard and nginx ingress controller
Anything else we need to know:
Ludea
All 6 comments
@Ludea please verify the secret contains the keys tls.crt and tls.key
aledbf
on 12 Dec 2017
In kubernetes secret, there is 2 files into data.
dashboard.key: 1675 bytes
dashboard.crtv : 1127 bytes
Ludea
on 14 Dec 2017
@Ludea that's the problem. You need to delete the secret and create a new one with the command
kubectl create secret generic tls kubernetes-dashboard-certs \
--from-file=tls.crt=/path/to/dashboard.crt \
--from-file=tls.key=/path/to/dashboard.key --namespace kube-system
to create a secret with the correct keys in the data section.
aledbf
on 15 Dec 2017
I delete and create a new one, with your commande example, but still have issue.
The ingress controller pod logs shows same issue.
In secret desciption, still have dashboard.key: 1675 bytes
dashboard.crt : 1127 bytes in data
Ludea
on 16 Dec 2017
@aledbf your command creates "tls" secret on my kube, so I removed it and used
$ kubectl delete secrets -n kube-system kubernetes-dashboard-certs
$ kubectl create secret generic kubernetes-dashboard-certs \
--from-file=tls.crt=/path/to/dashboard.crt \
--from-file=tls.key=/path/to/dashboard.key --namespace kube-system
and it seems to work now with nginx ingress
vladkras
on 13 Feb 2018
@aledbf
I have followed this https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/PREREQUISITES.md#creating-the-ca-authentication-secret link and use kubectl create secret generic ca-ingress-tls--namespace=default --from-file=ca.crt=<ca.crt> to create the caingress, after a Ingress-Controller start, it still tells me
W0214 19:54:27.891788 1 backend_ssl.go:44] error obtaining PEM from secret ncr/ca-ingress-tls: error retrieving secret ncr/ca-ingress-tls: secret ncr/ca-ingress-tls was not found
E0214 19:54:27.891802 1 annotations.go:144] error reading CertificateAuth annotation in Ingress ncr/nginx-completion-branch-ssl-ingress: error obtaining certificate: unexpected error: secret ncr/ca-ingress
-tls was not found
from https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/PREREQUISITES.md#creating-the-ca-authentication-secret link, it does say, we can create generic secret with only --from-file=ca.crt=<ca.crt>
so why it still failed here?
morganwu277
on 14 Feb 2018
Related issues
jwfang
路
3Comments
kfox1111
路
3Comments
cehoffman
路
3Comments
lachlancooper
路
3Comments
smeruelo
路
3Comments
Most helpful comment
@aledbf
I have followed this https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/PREREQUISITES.md#creating-the-ca-authentication-secret link and use
kubectl create secret generic ca-ingress-tls--namespace=default --from-file=ca.crt=<ca.crt>to create the caingress, after a Ingress-Controller start, it still tells mefrom https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/PREREQUISITES.md#creating-the-ca-authentication-secret link, it does say, we can create generic secret with only
--from-file=ca.crt=<ca.crt>so why it still failed here?