Search code examples
nginxkubernetescert-manager

Set custom certificate to nginx ingress


I got this error when access from outside, due to no valid CA, with openssl s_client -showcerts

verify depth is 32 CONNECTED(00000003) Can't use SSL_get_servername depth=0 O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate verify error:num=18:self-signed certificate verify return:1 depth=0 O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate verify return:1 ---Certificate chain 0 s:O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate i:O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256**

I have nginx controller as ingress

It is working according to the logs, but I am not able to tell the nginx ingress uses the certificate:

I0724 23:26:56.189668 7 store.go:429] "Found valid IngressClass"ingress="io***/ro-eu-" ingressclass="public" I0724 23:26:56.189924 7 event.go:285] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"io***", Name:"ro-eu-", UID:"d3b7dc77-63f1-4d53-a032-28c7a86e3a52", APIVersion:"networking.k8s.io/v1", ResourceVersion:"13029013", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync I0724 23:26:56.190474 7 controller.go:166] "Configuration changes detected, backend reload required" I0724 23:26:56.262956 7 controller.go:183] "Backend successfully reloaded"

Certificate it is valid.

 Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-of-dns
Secret Name:  wildcard-*-domain-net
Status:
  Conditions:
    Last Transition Time:  2022-07-21T10:15:20Z
    Message:               Certificate is up to date and has not expired
    Observed Generation:   2
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2022-10-19T09:15:17Z
  Not Before:              2022-07-21T09:15:18Z
  Renewal Time:            2022-09-19T09:15:17Z
  Revision:                2

Ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: io***
  name: ro**-eu-**
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    cert-manager.io/cluster-issuer: "letsencrypt-cf-dns"
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/configuration-snippet: |-
      proxy_ssl_server_name on;
      proxy_ssl_name $host;
spec:
  ingressClassName: public
  rules:
  - host: ro**-eu-**.names.domain.net
  - http:
      paths:
      - path: /*
        pathType: Prefix
        backend:
          service:
            name: ro**-eu-**
            port:
              number: 443

Solution

  • Try:

    ...
    ingressClassName: public
    
    tls:  # <-- tell ingress-nginx to use this cert
    - hosts:
      - ro**-eu-**.names.domain.net
      secretName: <name your secret to hold the cert>
    
    rules:
      - host: ro**-eu-**.names.domain.net
        http:  # <-- Here, no '-'
          ...