Error obtaining PEM certificate from secret.

[donch]

Hello,

I'm using an Ingress Controller outside of my cluster (https://github.com/unibet/ext_nginx based on Nginx IC). I'm experiencing an issue on SSL Configuration.

When i restart the ingress controller, everything is correctly configured and reloaded. Sometimes, after a restart i get the following error :

Aug 18 08:55:56 klb-01 systemd[1]: Stopped Kubernetes nginx-ingress controller..
Aug 18 08:55:57 klb-01 systemd[1]: Started Kubernetes nginx-ingress controller..
Aug 18 08:55:57 klb-01 nginx-ingress-controller[130727]: I0818 08:55:57.433947  130727 launch.go:108] &{ExtNGINX 0.1 git-933396b https://github.com/unibet/ext_nginx.git}
Aug 18 08:55:57 klb-01 nginx-ingress-controller[130727]: I0818 08:55:57.434255  130727 launch.go:111] Watching for ingress class: nginx
Aug 18 08:55:57 klb-01 nginx-ingress-controller[130727]: I0818 08:55:57.438904  130727 launch.go:266] Creating API server client for https://10.XXX.XXX.XXX:6443/
Aug 18 08:55:57 klb-01 nginx-ingress-controller[130727]: I0818 08:55:57.731319  130727 launch.go:127] validated default/dm-default-backend as the default backend
Aug 18 08:55:57 klb-01 nginx-ingress-controller[130727]: I0818 08:55:57.737209  130727 controller.go:1238] starting Ingress controller
Aug 18 08:55:57 klb-01 nginx-ingress-controller[130727]: I0818 08:55:57.748086  130727 controller.go:257] adding configmap default/nginx-custom-configuration to backend
Aug 18 08:55:57 klb-01 nginx-ingress-controller[130727]: W0818 08:55:57.748930  130727 backend_ssl.go:46] error obtaining PEM from secret default/gcp-dailymotion-tls: secret named default/gcp-dailymotion-tls does not exist
Aug 18 08:55:57 klb-01 nginx-ingress-controller[130727]: I0818 08:55:57.749312  130727 event.go:218] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"donch-ingress", UID:"e033be3a-7e85-11e7-8685-549f351ac600", APIVersion:"extensions", ResourceVersion:"3052413", FieldPath:""}): type: 'Normal' reason: 'CREATE' Ingress default/donch-ingress
Aug 18 08:55:57 klb-01 nginx-ingress-controller[130727]: I0818 08:55:57.837937  130727 leaderelection.go:174] attempting to acquire leader lease...
Aug 18 08:55:57 klb-01 nginx-ingress-controller[130727]: I0818 08:55:57.841493  130727 controller.go:1100] ssl certificate "default/gcp-dailymotion-tls" does not exist in local store
...
Aug 18 08:59:37 klb-01 nginx-ingress-controller[130727]: I0818 08:59:37.735438  130727 controller.go:1100] ssl certificate "default/gcp-dailymotion-tls" does not exist in local store
Aug 18 08:59:41 klb-01 nginx-ingress-controller[130727]: I0818 08:59:41.068605  130727 controller.go:1100] ssl certificate "default/gcp-dailymotion-tls" does not exist in local store
Aug 18 08:59:44 klb-01 nginx-ingress-controller[130727]: I0818 08:59:44.402005  130727 controller.go:1100] ssl certificate "default/gcp-dailymotion-tls" does not exist in local store
Aug 18 08:59:47 klb-01 nginx-ingress-controller[130727]: I0818 08:59:47.735362  130727 controller.go:1100] ssl certificate "default/gcp-dailymotion-tls" does not exist in local store

I need to restart several times the ingress-controller to get a nginx running with the right configuration, else the SSL configuration isn't applied.

Setup : Ubuntu 16.04 Nginx 1.10.3-0ubuntu0.16.04.2 Ingress built from master (0a5186c51741d4d465d961bb94292a66a250bb47)

I guess there is a bug or maybe a misconfiguration on my side ?

Thanks

[donch]

Hi,

i can add another feedback : When i update my ingress (for exemple with a fake annotation to trigger an event), the ssl certificate is correctly added to the local store :

Aug 21 08:47:43 klb-01 nginx-ingress-controller[55329]: I0821 08:47:43.525766   55329 event.go:218] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"donch-ingress", UID:"e033be3a-7e85-11e7-8685-549f351ac600", APIVersion:"extensions", ResourceVersion:"3746899", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress default/donch-ingress
Aug 21 08:47:43 klb-01 nginx-ingress-controller[55329]: I0821 08:47:43.531723   55329 backend_ssl.go:64] adding secret default/gcp-dailymotion-tls to the local store ```

[aledbf]

@donchh please update your code. This issue is fixed in master.

[aledbf]

Closing. Please reopen if you see the issue after the code update

[donch]

Thanks @aledbf it's working with the master (and using the default nginx ingress controller)

[christhomas]

what was the issue? because I'm getting this now, with the latest nginx controller version and I have no idea what could be the problem

[aledbf]

@christhomas please check the nginx logs to get the reason

[christhomas]

isn't the dashboard log viewer already showing me that? Otherwise, what am I seeing here? Which log is this?

On 25 Feb 2018, Manuel Alejandro de Brito Fontes notifications@github.com wrote:

@christhomas please check the nginx logs to get the reason

[aledbf]

@christhomas this log contains information about the go part of the nginx controller. In case of any error validating the SSL Certificate, you will see that here.

[christhomas]

i'm unsure which log you're talking about, in the latest ingress-nginx-controller, the nginx logs are pointed to stdout, which is the same content as that displayed in the kubernetes dashboard, so I'm asking if there is another file which was not mentioned, or commonly known about?

[aledbf]

@christhomas the data in the dashboard and the pod logs is the same. Please just check the content of the log searching for messages related to ssl issues

[christhomas]

I did check the logs, I am having the same problem as the poster, thats why I am asking, what was the problem that that @aledbf fixed relating to this issue.