Ingress-nginx: Error generating CA certificate chain

I just noticed this same issue. Our Vault which provides the CA Chain has a internal CA cert for its hostname. How can I add this to the ingress-nginx container so it validates the CA Chain correctly?

I have the same issue with a public certificate where the chain consists of

• my wildcard certificate
• GlobalSign Organization Validation CA
• GlobalSign Root CA

Could it be that the ingress have to know the GlobalSign Root CA to verify the certificate?

The client doesn't have an issue with the certificate as they know the root ca via windows updates.

@SeriousM Did you find a work-around for this? I'm seeing the same issue using a certificate chain exactly as you describe above.

Our solution was to create a certificate that contains the wildcard cert and the validation ca certificate. This version is valid for the browser side and valid for many ssl certificate checker services. The downside is that the ingress service is still complaining a out the invalid chain.

Yeah this is what we're seeing too, after making a cert chain the client side is happy enough but the ingress controller complains about invalid chain

I think the only workaroind which I have done in the past wirh other containers is to either create a custom ingress image where you just bake in your CA cert or do it with an init container somehow. That is until they alow you to pass the nginx controller a custom bundle that it can use.

Does you know how to install root CA in an image?
Can anyone tell me the function that checks for the certificate chain to
reproduce the problem under test conditions?

To do it during a docker build you can do something like this

FROM quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.20.0

USER root

COPY certs.pem /usr/local/share/ca-certificates/certs.crt
RUN update-ca-certificates

USER www-data

I haven't tested it yet though to see if that fixes the error.

but the long term fix would be to allow mounting a ca bundle and passing a flag to the ingress-controller to use it.

It would be enough to install the global root CAs, any way to do that?

+1 same issue for me, the TLS works fine

+1 same issue

+1 same here. works fine, just getting the error

Do we have an ETA on this ?

I have the same issue where we use a custom CA for our internal services.

Using the suggestion by @mitchellmaler, I had to tweak it a little bit:

FROM quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.21.0

USER root

COPY custom-ca.crt /usr/share/ca-certificates/extra/
RUN echo "extra/custom-ca.crt" >> /etc/ca-certificates.conf && update-ca-certificates

USER www-data

This installs the CA properly, however I'm still getting the error messages. Also, it's really tedious to have to maintain our own image for this, it would be awesome if this could be supported natively somehow (if I could actually get rid of the error messages).

@anton-johansson what errors were you seeing?

Same as the OP:

Error generating CA certificate chain for Secret "kube-dashboard/star.svc.example.local": Invalid certificate.
Error generating CA certificate chain for Secret "default/star.svc.example.local": Invalid certificate.

star.svc.example.local is a self-signed certificate with our own custom CA. We use it for all internal services. The certificate is stored as secrets, one secret for each Kubernetes namespace that requires the certificate.

I'm going to take a look at the CLI argument --enable-ssl-chain-completion=false, but I'm not sure what downsides that have.

EDIT: The CLI argument got rid of the error messages. But again, I'm not sure what downsides it has. But it will have to do for now.

We had a similar experience turning it off, but I also didn't pay attention to or dig in to find the side effects of leaving it disabled.

We had to re-enable chain completion due to some additional requirements and used your Dockerfile snippet above and haven't seen any errors in our logs (other than ingress rules with typo'd secret names or the like).

I'll take a look at the Dockerfile in question and see if there was anything different we did that would resolve the errors.

Anybody got any idea about the Side effects for --enable-ssl-chain-completion=false ?

Here we face the issue of having a certificate without the certificate authority running on a Kubernetes. We did following steps:

1) Concatenate both certificate and the certificate authority, in a temp file:

-----BEGIN CERTIFICATE-----
...(here is your certificate)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...(here is your authority certificate)...
-----END CERTIFICATE-----

2) Encode to base64 in terminal:

cat some_temp_file | base64 -w 0

3) Put the resulting base64 in your Ingress deployment configuration at property "data.tls.crt":

apiVersion: v1
data:
  tls.crt: ... <-- here
  tls.key: ...
kind: Secret
metadata:
  name: sslcerts
type: Opaque

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

Same issue here. SSLLabs.com reports the following error:

This server's certificate chain is incomplete. Grade capped to B.

I tried using the certificate chain file that was generated from letsencrypt certbot, but creating a secret doesn't work since the certificate chain doesn't match the private key.

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

/remove-lifecycle rotten

+1 same issue for me

+1 same issue for me

Is there a fix for this?

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@fejta-bot: Closing this issue.

/remove-lifecycle rotten

This issue is still present and still occurs!

/reopen

@SeriousM: You can't reopen an issue/PR unless you authored it or you are a collaborator.

To everyone who still struggles with the CA problem:

You can create a secret with the certificate, key and the ca which builds the ca chain for you:
https://github.com/kubernetes/ingress-nginx/blob/76077ac0271e13da20b5bb04733e4d1b3043665f/docs/examples/auth/client-certs/README.md#creating-certificate-secrets

1. You can create a secret containing CA certificate along with the Server Certificate, that can be used for both TLS and Client Auth.
   kubectl create secret generic ca-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt

There is no need to annotate the ingress because the secret already has the full information in it.