search

digitalocean / Kubernetes-Starter-Kit-Developers

Hands-on tutorial and Automation stack for an operations-ready DigitalOcean Kubernetes (DOKS) cluster.
745 stars 258 forks source link

tls termination not working for 03-ingress-controller tutorial #155

Closed sktrinh12 closed 2 years ago

sktrinh12 commented 2 years ago

Hi, I followed each step in the tutorial for ingress-controller using DO. Everything seems working except the second service, the quote service. The echo service returns what is expected, but tls termination doesn't seem to be working for quote. I get this when i try to curl: 

HTTP/1.1 308 Permanent Redirect
Date: Thu, 14 Apr 2022 04:52:21 GMT
Content-Type: text/html
Content-Length: 164
Connection: keep-alive
Location: https://quote.mydomain.com

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I just did kubectl apply -f quote_host.yaml with the annotations and tls sections un-commented, just some small changes. Did I miss a step? The tutorial doesn't explicitly lay out the steps to do the quote service, but I just repeated the steps for the echo service.

Would appreciate some assistance. Thanks.

bikram20 commented 2 years ago

I believe you may have tried the following already, but just in case...

1/ If you use "curl -k", are you able to reach the target? "-k" option disables the certificate checking.

Assuming the above works, you need to verify if you have the valid certificate for your site.

2/ Do you own this site mydomain.com? The following is from your logs. Location: https://quote.mydomain.com

3/ Check that you have cert-manager and TLS configured. kubectl get issuer -A kubectl get certificates -A kubectl get ingress -A

4/ If the above looks all good, did you configure proxy protocol anywhere? If yes... then does the set up work w/o proxy protocol?

vladciobancai commented 2 years ago

Hi @sktrinh12 thank you spotting the issue, I have created a fix for this problem. Also please keep in mind if the sub-domains are not static we suggest you to use a wildcard tls certificate , please visit https://github.com/digitalocean/Kubernetes-Starter-Kit-Developers/blob/main/03-setup-ingress-controller/guides/wildcard_certificates.md for more details

sktrinh12 commented 2 years ago

great, thanks for the guidance and for fixing that so quickly. Is it because the secretName value can't be shared by two separate services? That's the only difference I see in the host.yaml files. It is now working.