search

jetstack / kube-lego

DEPRECATED: Automatically request certificates for Kubernetes Ingress resources from Let's Encrypt
Apache License 2.0
2.16k stars 267 forks source link

SSL Created but HTTPS not working #247

Open Aleksion opened 7 years ago

Aleksion commented 7 years ago

Hi,

I'm definitely a rookie at this, but I'm currently stuck when trying to get SSL working with the GCE load balancer. I've followed the GCE example, and I think it's working as intended (meaning my service and ingress files reflect the ones in the sample, and the kube-lego files are identical (with my email though). It see the certificate and the secret is created in my app's namespace. However, when i try to navigate to https://[MYDOMAIN] i get the chrome error: unexpectedly closed the connection.

This is what kube-lego prints to the logs: (with my app name redacted)

E  time="2017-08-25T12:06:22Z" level=debug msg="UPDATE ingress/[APP_NAME]/[APP_NAME]-ingress" context=kubelego 

E  time="2017-08-25T12:06:22Z" level=debug msg="worker: begin processing true" context=kubelego 

E  time="2017-08-25T12:06:22Z" level=debug msg=reset context=provider provider=nginx 

E  time="2017-08-25T12:06:22Z" level=debug msg=finalize context=provider provider=nginx 

E  time="2017-08-25T12:06:22Z" level=info msg="disable provider no TLS hosts found" context=provider provider=nginx 

E  time="2017-08-25T12:06:22Z" level=debug msg=reset context=provider provider=gce 

E  time="2017-08-25T12:06:22Z" level=debug msg=finalize context=provider provider=gce 

E  time="2017-08-25T12:06:22Z" level=debug msg="setting up svc endpoint" context=provider namespace=[APP_NAME] pod_ip=10.52.1.13 provider=gce 

E  time="2017-08-25T12:06:22Z" level=info msg="process certificate requests for ingresses" context=kubelego 

E  time="2017-08-25T12:06:22Z" level=info msg="cert expires in 89.9 days, no renewal needed" context="ingress_tls" expire_time=2017-11-23 10:26:00 +0000 UTC name=[APP_NAME]-ingress namespace=[APP_NAME] 

E  time="2017-08-25T12:06:22Z" level=info msg="no cert request needed" context="ingress_tls" name=[APP_NAME]-ingress namespace=[APP_NAME] 

E  time="2017-08-25T12:06:22Z" level=debug msg="worker: done processing true" context=kubelego

Is there anything I'm missing? It's probably an error on my part, but I have no idea where to go from here

Regards Aleksander

Aleksion commented 6 years ago

Ok, I found the problem. The load balancer allocated a different ip to the https endpoint. That information doesn't pop up anywhere in the kubernetes dashboard though. Is there a way to get http and https running on the same IP?

jails commented 6 years ago

I didn't run into a use case where the allocated IP was different for HTTP & HTTPS. Maybe your best option here is to create a static IP upstream like so:

gcloud compute addresses create my-static-ip-name --global

Then update the ingress resource yaml file like the following:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress
  annotations:
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.class: gce
    # Use your IP reference bellow
    kubernetes.io/ingress.global-static-ip-name: my-static-ip-name
spec:
  tls:
    - hosts:
      - my.domain.com
      secretName: my-domain-tls
  rules:
    - host: my.domain.com
      http:
        paths:
          - path: /*
            backend:
              serviceName: nginx-service
              servicePort: 80

And this way you won't need to update your domain's DNS each time the load balancer is "stopped/recreated".

likered commented 6 years ago

Is there any solution for this via AWS?

I've gotten to the same point, but I've noticed that the site is working fine... just "Not secure" even though I've set up all the kube-lego (properly)


time="2017-11-15T21:25:52Z" level=info msg="cert expires in 89.9 days, no renewal needed" context="ingress_tls" expire_time=2018-02-13 18:34:57 +0000 UTC name=leads namespace=default 
time="2017-11-15T21:25:52Z" level=info msg="no cert request needed" context="ingress_tls" name=leads namespace=default```
aramkarapetian commented 5 years ago

We have this issue since October, today certs got expired and service went down. My suspicion was load balancer and kube ingress got out of sync because we manually changed some things on load balancer. I made sure ip address will not changed and recreated ingress by deleting both kubernetes ingress and load balancer separately (this might also be sign that they are not connected anymore). It solved the issue! Lesson learned, do not touch load balancer - use kubernetes ingress file.