Use case
I deployed the nginx ingress controller in my Kubernetes cluster using this helm chart:
https://github.com/helm/charts/tree/master/stable/nginx-ingress
I created an ingress resource for my frontend serving webserver and it is supposed to redirect from non-www to the www version. I am using SSL as well.
The problem
When I visit the www version of my website everything is fine and nginx serves the page using my Lets Encrypt SSL certificate (which exists as secret in the right namespace). However when I visit the NON-www version of the website I get the failing SSL certificate page in my Browser (NET::ERR_CERT_AUTHORITY_INVALID) and one can see the page is served using the Kubernetes ingress fake certificate. I assume that's also the reason why the redirect to the www version does not work at all.
This is my ingress resource (actual hostnames have been redacted):
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
creationTimestamp: 2018-10-03T19:34:41Z
generation: 3
labels:
app: nodejs
chart: nodejs-1.0.1
heritage: Tiller
release: example-frontend
name: example-frontend
namespace: microservices
resourceVersion: "5700380"
selfLink: /apis/extensions/v1beta1/namespaces/microservices/ingresses/example-frontend
uid: 5f6d6500-c743-11e8-8aaf-42010a8401fa
spec:
rules:
- host: www.example.io
http:
paths:
- backend:
serviceName: example-frontend
servicePort: http
path: /
tls:
- hosts:
- example.io
- www.example.io
secretName: example-frontend-tls
The question
Why doesn't nginx use the provided certificate on the non-www version as well?
Looks like you fixed the issue for receiving an invalid certificate by adding an additional rule.
The issue with the redirect looks like it's related to this and it's not fixed as of this writing. However, there is a workaround as described on the same link:
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($host = 'foo.com' ) {
rewrite ^ https://www.foo.com$request_uri permanent;
}
I fixed it by adding the non www version to the rules. The redirect still doesn't work, but the page is served using the correct SSL certificate though.
- host: example.io
http:
paths:
- backend:
serviceName: example-frontend
servicePort: http
path: /
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With