Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Default certificate on Nginx-ingress

Tags:

kubernetes

nginx-ingress

I want to disable SNI on the nginx-ingress. If a call using openssl like below is used:

openssl s_client -showcerts -connect ***********.gr:443

Then I want nginx-ingress to use only the certificate that I have configured and not the fake-k8s-cert.

The certificate is working if a browse the web app but I need also to set the default certificate.

An example is below:

[root@production ~]# openssl s_client -showcerts -connect 3dsecureuat.torawallet.gr:443
CONNECTED(00000003)
depth=0 O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/O=Acme Co/CN=Kubernetes Ingress Controller Fake Certificate
   i:/O=Acme Co/CN=Kubernetes Ingress Controller Fake Certificate
-----BEGIN CERTIFICATE-----

---
Server certificate
subject=/O=Acme Co/CN=Kubernetes Ingress Controller Fake Certificate
issuer=/O=Acme Co/CN=Kubernetes Ingress Controller Fake Certificate
---
Acceptable client certificate CA names
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
...

I have also configured ingress to use the secret on all hostnames without specifying host: tls: - secretName: ******wte-ingress

like image 241
vasilis Avatar asked Oct 28 '25 09:10

vasilis

2 Answers

Default SSL Certificate flag solved the issue as OP mentioned.

In Nginx documentation you can read:

NXINX Ingress controller provides the flag --default-ssl-certificate. The secret referred to by this flag contains the default certificate to be used when accessing the catch-all server. If this flag is not provided NGINX will use a self-signed certificate.

For instance, if you have a TLS secret foo-tls in the default namespace, add --default-ssl-certificate=default/foo-tls in the nginx-controller deployment.

The default certificate will also be used for ingress tls: sections that do not have a secretName option.

like image 178
Matt Avatar answered Oct 30 '25 04:10

Matt

As mentioned here

When an ingress without a host is defined, the default server (_ in nginx) is used.

You need to provide -servername to your openssl command to check certificate for your domain, e.g.:

openssl s_client -showcerts -connect ***********.gr:443 -servername *********.gr
like image 22
Anton Matsiuk Avatar answered Oct 30 '25 06:10

Anton Matsiuk

Sign in to Comment

Related questions

Default node selector
How to find the pod name given a container ID
How to find the correct api version in Kubernetes?
Run a locally made container on kubernetes
Kubernetes: CoreDNS and problem with resolving hostnames
Which PDB need be assigned to system pods for cluster auto scaler?
Java jib-maven-plugin with Kubernetes memory controll
Is it possible to retrieve EKS ClusterConfig yaml file used to create eks cluster with eksctl
In AWS EKS, how can I define ingress to use one ALB for multiple subdomain URLs, each with their own certificate?
How to automatically deploy new image to k8s cluster as it was pushed to docker registry?
Is it ever safe to force-delete a kubernetes pod?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!