Search code examples
sslkubernetes-ingressamazon-ekscloudflareaws-application-load-balancer

EKS ALB TLS not working when disabling Cloudflare proxy

Ok, so I have a simple deployment in AWS EKS that uses an ALB and Im having issues with the TLS. My setup is as follows:

  • I have a CNAME entry in Cloudflare pointing to the ALB.
  • Cloudflare TLS settings are "Full (strict)".
  • I created a certificate (stuff.stf and *.stuff.stf) in Cloudflare, and imported it into Amazon (steps below).

If the CNAME it's not proxied (in Cloudflare), I get a "ERR_CERT_AUTHORITY_INVALID" error. But if it's proxied, then it works fine.

How could I fix this or, what am I missing?

This are the yamls I used:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-stuff
  namespace: api
  labels:
    app: stuff
spec:
  replicas: 1
  selector:
    matchLabels:
      app: stuff
  template:
    metadata:
      labels:
        app: stuff
    spec:
      containers:
        - name: stuff
          image: stuff.azurecr.io/stuff-master:12
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 8080
              protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: stuff
  namespace: api
  labels:
    app: stuff
spec:
  type: NodePort
  selector:
    app: stuff
  ports:
    - name: http
      port: 8080
      targetPort: 8080
      protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: stuff
  namespace: api
  annotations:
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTP": 8080}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:xxxxxxxxxxxxxxxxxxxx"
spec:
  ingressClassName: alb
  rules:
    - host: stuff.domain.stf
      http:
        paths:
          - path: /stuff
            pathType: Prefix
            backend:
              service:
                name: stuff
                port:
                  number: 8080

These are the certificate import steps:

  1. First I created the certificate in Cloudflare for my domain.
  2. Then I downloaded the root certificate from Cloudflare.
  3. I went to the AWS console to import the certificate 3.1. I set the created certificate & private key from step 1. 3.2. I set the chain certificate from Cloudflare
  4. Once created, that is the ARN I'm using for the ALB annotation.
Solution

  • Ok, I found the issue now: I required to request a certificate instead of importing it (in AWS ACM).

    To validate the certificate there are two options: email or DNS. I chose the later. Few minutes after being requested, the certificate will contain the DNS name and value that has to be set in our DNS provider as a CNAME entry (in my case I had to set that in Cloudflare DNS section).