Ingress-nginx: x509: certificate is valid for ingress.local and not valid for other server defined using regex

Created on 7 Oct 2019 · 17Comments · Source: kubernetes/ingress-nginx

We work with regex support on server_name, for example:
server_name ~^myservername-(?_.+).org.com

We use $sub to define the nginx location, for example:
/api/docker/$sub/v2/$1

When using SSL dynamic mode on version 0.26.0 and the TLS is not recognized.
Error response from daemon: Get https://myservername-abc.org.com: x509: certificate is valid for ingress.local, not myservername-abc.org.com

This works for us with 0.24.0 or lower.
Also, it works when we define the server_alias with non regex expression, but we need to use the regex for our setup.

lifecyclrotten

Source

anastasiagrinman

👍4

Most helpful comment

Does this work for cert-manager? I get the same error when installing rancher with cert-manager

Full description of how I'm installing and deploying, here:
https://github.com/rancher/rancher/issues/25827

ainiml on 2 Mar 2020

👍2

All 17 comments

Same here

joaomantovani on 21 Nov 2019

Any solutions?

alphara on 24 Nov 2019

Same issue here. Anyone solve this?

r9labs on 12 Dec 2019

Yes, I have solved the issue with using the valid certificate for the docker registry. Self-signed certificates do not work. Only valid certificate works. Kubernetes has an ability to sign and approve certificates.

alphara on 12 Dec 2019

👀2

Does this work for cert-manager? I get the same error when installing rancher with cert-manager

Full description of how I'm installing and deploying, here:
https://github.com/rancher/rancher/issues/25827

ainiml on 2 Mar 2020

👍2

Hi all. I;m stuck here too!

jerry3k on 6 Mar 2020

What's the reason

ghost on 31 Mar 2020

ddavtian on 10 May 2020

You could issue and sign a certificate for the Nginx ingress, docker registry and other services with help of the Kubernetes.

Download and install CFSSL

brew install cfssl

Create a Certificate Signing Request

mkdir cert && cd cert/

cat <<EOF | cfssl genkey - | cfssljson -bare server
{
  "hosts": [
    "myservername-abc.org.com",
    "registry.myservername-abc.org.com",
    "myapp.myservername-abc.org.com",
    "subdomain.myservername-abc.org.com"
  ],
  "CN": "myservername-abc.org.com",
  "key": {
    "algo": "ecdsa",
    "size": 256
  }
}
EOF

Create a Certificate Signing Request (CSR) object to send to the Kubernetes API

cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: myservername-abc.org.com
spec:
  request: $(cat server.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

Describe CSR

kubectl describe csr myservername-abc.org.com

Get the Certificate Signing Request Approved

kubectl certificate approve myservername-abc.org.com

Download the Certificate and Use It

kubectl get csr
kubectl get csr myservername-abc.org.com -o jsonpath='{.status.certificate}' | base64 --decode > server.crt

Check the TLS certificate and CSR

openssl x509 -noout -text -in server.crt
openssl req -text -noout -verify -in server.csr

Create a secret with the TLS certificate

kubectl create secret tls nginx-ingress-tls-secret --key server-key.pem --cert server.crt

Info

alphara on 11 May 2020

@alphara I did all what you suggested, but still getting the same error. Is there a way for me to get the faulty certificate ? Because reading "this certificate is valid for... not for" and not knowing which cert it is, is not very helpful ^^
Here is the log I get:

kubectl get pods -v=10                   
I0617 08:42:45.331125    5622 loader.go:375] Config loaded from file:  /Users/lucas/.kube/config
I0617 08:42:45.331814    5622 round_trippers.go:423] curl -k -v -XGET  -H "User-Agent: kubectl/v1.18.3 (darwin/amd64) kubernetes/2e7996e" -H "Accept: application/json, */*" 'https://192.168.99.100:8443/api?timeout=32s'
I0617 08:42:45.331854    5622 round_trippers.go:423] curl -k -v -XGET  'https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration'
I0617 08:42:45.335723    5622 round_trippers.go:443] GET https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration  in 3 milliseconds
I0617 08:42:45.335735    5622 round_trippers.go:449] Response Headers:
I0617 08:42:45.335743    5622 round_trippers.go:443] GET https://192.168.99.100:8443/api?timeout=32s  in 3 milliseconds
I0617 08:42:45.335746    5622 round_trippers.go:449] Response Headers:
/*see this line ->*I0617 08:42:45.335778    5622 cached_discovery.go:121] skipped caching discovery info due to Get "https://192.168.99.100:8443/api?timeout=32s": Get "https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration": x509: certificate is valid for ingress.local, not keycloak.devlocal
I0617 08:42:45.336104    5622 round_trippers.go:423] curl -k -v -XGET  -H "Accept: application/json, */*" -H "User-Agent: kubectl/v1.18.3 (darwin/amd64) kubernetes/2e7996e" 'https://192.168.99.100:8443/api?timeout=32s'
I0617 08:42:45.336131    5622 round_trippers.go:423] curl -k -v -XGET  'https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration'
I0617 08:42:45.338656    5622 round_trippers.go:443] GET https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration  in 2 milliseconds
I0617 08:42:45.338665    5622 round_trippers.go:449] Response Headers:
I0617 08:42:45.338671    5622 round_trippers.go:443] GET https://192.168.99.100:8443/api?timeout=32s  in 2 milliseconds
I0617 08:42:45.338674    5622 round_trippers.go:449] Response Headers:
/*see this line ->*I0617 08:42:45.338737    5622 cached_discovery.go:121] skipped caching discovery info due to Get "https://192.168.99.100:8443/api?timeout=32s": Get "https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration": x509: certificate is valid for ingress.local, not keycloak.devlocal
I0617 08:42:45.338751    5622 shortcut.go:89] Error loading discovery information: Get "https://192.168.99.100:8443/api?timeout=32s": Get "https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration": x509: certificate is valid for ingress.local, not keycloak.devlocal

I would greatly appreciate any help on this !

Bonjour123 on 17 Jun 2020

Hi @Bonjour123,

I assume you solve a different problem but try to include IP address 192.168.99.100 to the list of the hosts for issuing a certificate. It would be even more secure to create a subdomain for the IP address, and then you include a subdomain into the lists of hosts.

alphara on 20 Jun 2020

Ok, I will surely try. Thanks for the help !

Bonjour123 on 28 Jun 2020

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot on 26 Sep 2020

@Bonjour123,

You need to issue your certificate with CN and hosts set to keycloak.devlocal instead of ingress.local. Also, you may need to have a cert-manager deployed.

alphara on 26 Sep 2020

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

fejta-bot on 26 Oct 2020

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

fejta-bot on 25 Nov 2020

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.