Ingress-nginx: default-ssl-certificate not working

Created on 23 Jan 2018  路  6Comments  路  Source: kubernetes/ingress-nginx

NGINX Ingress controller version: 0.10.0

Kubernetes version (use kubectl version):
1.9.2

Environment: local setup

  • Cloud provider or hardware configuration: vmware
  • OS (e.g. from /etc/os-release): Red Hat Enterprise Linux Server release 7.4 (Maipo)
  • Kernel (e.g. uname -a): 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Dec 28 14:23:39 EST 2017 x86_64 x86_64 x86_64 GNU/Linux
  • Install tools:
  • Others:

What happened:
when deploying the 0.10.0 version of the ingress controller it seems the --default-ssl-certificate flag is ignored

our ingress controller deployment arguments snippet:

        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
        args:
        - /nginx-ingress-controller
        - --default-ssl-certificate=$(POD_NAMESPACE)/tls-ingress
        - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
        - --configmap=$(POD_NAMESPACE)/nginx-custom-configuration
        - --annotations-prefix=ingress.kubernetes.io
        - --v=5

when using version 0.9.0 the tls.crt en tls.key in the tls-ingress secret is used
when using version 0.10.0 it is ignored and a auto generated certificate is used

if I search the debug logs in both cases in 0.9.0 version I find

I0123 10:07:25.830409       5 ssl.go:58] Creating temp file /ingress-controller/ssl/pnu-dev-ingressprototype-tls-ingress.pem567161102 for Keypair: pnu-dev-ingressprototype-tls-ingress.pem
I0123 10:07:25.831496       5 backend_ssl.go:102] found 'tls.crt' and 'tls.key', configuring pnu-dev-ingressprototype/tls-ingress as a TLS Secret (CN: [ingress-controller ingress-controller.pnu-dev-ingressprototype <and other cn's in the tls.crt> ])

in log of version 0.10.0 there is not one line mentioning the use of the default cert it just uses the auto generated one

also if checking the running pod of the controller the 0.9.0 has the following .pem files in /ingress-controller/ssl/
default-fake-certificate.pem pnu-dev-ingressprototype-tls-ingress.pem
and some extra ones holding certs for specific host ingress rules that have defined there own tls secret

in 0.10.0 there is just the default-fake-certificate.pem and the extra ones for ingress rules holding there own tls secret

What you expected to happen:
the controller should use the default-ssl-certificate secret

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know:

picture skippie81
👍4

Most helpful comment

Thanks for pushing 0.10.1 and I have tried it. But the problem described in this issue still persist.

The image I have tried: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.10.1.

The certificate specified in --default-ssl-certificate is still missing in /ingress-controller/ssl directory.

picture cheungpat on 25 Jan 2018
👍2

All 6 comments

Closing. Please use the latest release 0.10.1. Reopen if the issue persists after the update

aledbf picture aledbf on 25 Jan 2018

Thanks for pushing 0.10.1 and I have tried it. But the problem described in this issue still persist.

The image I have tried: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.10.1.

The certificate specified in --default-ssl-certificate is still missing in /ingress-controller/ssl directory.

cheungpat picture cheungpat on 25 Jan 2018
👍2

also tested with 0.10.1
issue stays, and behavior is exactly the same as with 0.10.1

skippie81 picture skippie81 on 25 Jan 2018

@skippie81 @cheungpat please use quay.io/aledbf/nginx-ingress-controller:0.321

aledbf picture aledbf on 25 Jan 2018

just tested with the version quay.io/aledbf/nginx-ingress-controller:0.321

and now it works.

logs also showing again the creation of the pem file as in 0.9.0

I0125 13:17:59.354218       5 backend_ssl.go:44] starting syncing of secret pnu-dev-ingressprototype/tls-ingress
I0125 13:17:59.354250       5 ssl.go:58] Creating temp file /ingress-controller/ssl/pnu-dev-ingressprototype-tls-ingress.pem276006694 for Keypair: pnu-dev-ingressprototype-tls-ingress.pem
I0125 13:17:59.354866       5 ssl.go:112] parsing ssl certificate extensions
I0125 13:17:59.354958       5 backend_ssl.go:106] found 'tls.crt' and 'tls.key', configuring pnu-dev-ingressprototype/tls-ingress as a TLS Secret (CN: [ingress-controller .... ])
I0125 13:17:59.354974       5 backend_ssl.go:68] adding secret pnu-dev-ingressprototype/tls-ingress to the local store
skippie81 picture skippie81 on 25 Jan 2018
👍1

Also tested with quay.io/aledbf/nginx-ingress-controller:0.321 and it works. Thanks!

cheungpat picture cheungpat on 25 Jan 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

cehoffman picture cehoffman  路  3Comments
silasbw picture silasbw  路  3Comments
cabrinoob picture cabrinoob  路  3Comments
cxj110 picture cxj110  路  3Comments
lachlancooper picture lachlancooper  路  3Comments