I got this error when access from outside, due to no valid CA, with openssl s_client -showcerts
verify depth is 32 CONNECTED(00000003) Can't use SSL_get_servername depth=0 O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate verify error:num=18:self-signed certificate verify return:1 depth=0 O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate verify return:1 ---Certificate chain 0 s:O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate i:O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256**
I have nginx controller as ingress
It is working according to the logs, but I am not able to tell the nginx ingress uses the certificate:
I0724 23:26:56.189668 7 store.go:429] "Found valid IngressClass"ingress="io***/ro-eu-" ingressclass="public" I0724 23:26:56.189924 7 event.go:285] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"io***", Name:"ro-eu-", UID:"d3b7dc77-63f1-4d53-a032-28c7a86e3a52", APIVersion:"networking.k8s.io/v1", ResourceVersion:"13029013", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync I0724 23:26:56.190474 7 controller.go:166] "Configuration changes detected, backend reload required" I0724 23:26:56.262956 7 controller.go:183] "Backend successfully reloaded"
Certificate it is valid.
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-of-dns
Secret Name: wildcard-*-domain-net
Status:
Conditions:
Last Transition Time: 2022-07-21T10:15:20Z
Message: Certificate is up to date and has not expired
Observed Generation: 2
Reason: Ready
Status: True
Type: Ready
Not After: 2022-10-19T09:15:17Z
Not Before: 2022-07-21T09:15:18Z
Renewal Time: 2022-09-19T09:15:17Z
Revision: 2
Ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: io***
name: ro**-eu-**
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
cert-manager.io/cluster-issuer: "letsencrypt-cf-dns"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/configuration-snippet: |-
proxy_ssl_server_name on;
proxy_ssl_name $host;
spec:
ingressClassName: public
rules:
- host: ro**-eu-**.names.domain.net
- http:
paths:
- path: /*
pathType: Prefix
backend:
service:
name: ro**-eu-**
port:
number: 443
Try:
...
ingressClassName: public
tls: # <-- tell ingress-nginx to use this cert
- hosts:
- ro**-eu-**.names.domain.net
secretName: <name your secret to hold the cert>
rules:
- host: ro**-eu-**.names.domain.net
http: # <-- Here, no '-'
...