Open jackzampolin opened 7 years ago
+1
So I ended up finding out what was going on. You can't use the Proxy Pass features of Nginx and get the real client IP while using kube-lego
on GCE. Its kind of a bummer but thats the case.
@jackzampolin May I ask, why you cannot? What is the problem? And how can this be solved? What are the alternatives?
@m-koepke I ended up banging my head against the wall for couple of days on this. Just went through my notes on this and the below explanation may or may not make sense:
If you enable the proxy pass on the nginx-ingress
(use-proxy-protocol: "true"
) it causes the verification requests from kube-lego
to timeout, so no new certs and no renewals. The verification requests come in over HTTP but the GCE LB (provisioned with LoadBalancer
) only handles proxy protocol over HTTPS so the requests fail. I tried a number of way to get around this but was unable to. The service I was deploying depended on both proxy pass and SSL so I ended up deploying it on a bare VM. Kind of a bummer.
Hope that helps!
@jackzampolin Thanks for the explanation. This seems to be related to https://github.com/jetstack/kube-lego/issues/173. If the selftest would use https, everything should work, right?
@m-koepke That seemed to be the case when I was working on it last.
kube-lego could allow for an config option to chose the desired reachability test to try.
lego.test: http
lego.test: https
lego.test: dns
...
I think it is important to support setups that need 'use-proxy-protocol' at IC level.
What do you think?
I totally agree. This was a very frustrating issue for me. I'll change the title of the issue.
So not really sure quite where to start with this. I'm a maintainer on both of the helm charts involved here so I'm a bit perplexed not being able to solve this. When kube-lego tries to make a call to
/.well-known/acme-challenge/_selftest
this call fails and is redirected totls
. This never used to happen even though I have not changed the setup. I'm passing some configuration options tonginx-ingress
(see below). The error in thenginx-ingress
is as follows:additional nginx config
generated nginx.conf
Anyone have any good ideas on this one?