search

kubernetes / ingress-nginx

Ingress-NGINX Controller for Kubernetes
https://kubernetes.github.io/ingress-nginx/
Apache License 2.0
17.27k stars 8.21k forks source link

x509: certificate is valid for ingress.local and not valid for other server defined using regex #4644

Closed anastasiagrinman closed 3 years ago

anastasiagrinman commented 4 years ago

We work with regex support on server_name, for example: server_name ~^myservername-(?.+).org.com

We use $sub to define the nginx location, for example: /api/docker/$sub/v2/$1

When using SSL dynamic mode on version 0.26.0 and the TLS is not recognized. Error response from daemon: Get https://myservername-abc.org.com: x509: certificate is valid for ingress.local, not myservername-abc.org.com

This works for us with 0.24.0 or lower. Also, it works when we define the server_alias with non regex expression, but we need to use the regex for our setup.

joaomantovani commented 4 years ago

Same here

alphara commented 4 years ago

Any solutions?

r9labs commented 4 years ago

Same issue here. Anyone solve this?

alphara commented 4 years ago

Yes, I have solved the issue with using the valid certificate for the docker registry. Self-signed certificates do not work. Only valid certificate works. Kubernetes has an ability to sign and approve certificates.

ainiml commented 4 years ago

Does this work for cert-manager? I get the same error when installing rancher with cert-manager

Full description of how I'm installing and deploying, here: https://github.com/rancher/rancher/issues/25827

jerry3k commented 4 years ago

Hi all. I;m stuck here too!

ghost commented 4 years ago

What's the reason

ddavtian commented 4 years ago

+1

alphara commented 4 years ago

You could issue and sign a certificate for the Nginx ingress, docker registry and other services with help of the Kubernetes.

Download and install CFSSL

brew install cfssl

Create a Certificate Signing Request

mkdir cert && cd cert/

cat <<EOF | cfssl genkey - | cfssljson -bare server
{
  "hosts": [
    "myservername-abc.org.com",
    "registry.myservername-abc.org.com",
    "myapp.myservername-abc.org.com",
    "subdomain.myservername-abc.org.com"
  ],
  "CN": "myservername-abc.org.com",
  "key": {
    "algo": "ecdsa",
    "size": 256
  }
}
EOF

Create a Certificate Signing Request (CSR) object to send to the Kubernetes API

cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: myservername-abc.org.com
spec:
  request: $(cat server.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

Describe CSR

kubectl describe csr myservername-abc.org.com

Get the Certificate Signing Request Approved

kubectl certificate approve myservername-abc.org.com

Download the Certificate and Use It

kubectl get csr
kubectl get csr myservername-abc.org.com -o jsonpath='{.status.certificate}' | base64 --decode > server.crt

Check the TLS certificate and CSR

openssl x509 -noout -text -in server.crt
openssl req -text -noout -verify -in server.csr

Create a secret with the TLS certificate

kubectl create secret tls nginx-ingress-tls-secret --key server-key.pem --cert server.crt

Info

Bonjour123 commented 4 years ago

@alphara I did all what you suggested, but still getting the same error. Is there a way for me to get the faulty certificate ? Because reading "this certificate is valid for... not for" and not knowing which cert it is, is not very helpful ^^ Here is the log I get:

kubectl get pods -v=10                   
I0617 08:42:45.331125    5622 loader.go:375] Config loaded from file:  /Users/lucas/.kube/config
I0617 08:42:45.331814    5622 round_trippers.go:423] curl -k -v -XGET  -H "User-Agent: kubectl/v1.18.3 (darwin/amd64) kubernetes/2e7996e" -H "Accept: application/json, */*" 'https://192.168.99.100:8443/api?timeout=32s'
I0617 08:42:45.331854    5622 round_trippers.go:423] curl -k -v -XGET  'https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration'
I0617 08:42:45.335723    5622 round_trippers.go:443] GET https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration  in 3 milliseconds
I0617 08:42:45.335735    5622 round_trippers.go:449] Response Headers:
I0617 08:42:45.335743    5622 round_trippers.go:443] GET https://192.168.99.100:8443/api?timeout=32s  in 3 milliseconds
I0617 08:42:45.335746    5622 round_trippers.go:449] Response Headers:
/*see this line ->*I0617 08:42:45.335778    5622 cached_discovery.go:121] skipped caching discovery info due to Get "https://192.168.99.100:8443/api?timeout=32s": Get "https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration": x509: certificate is valid for ingress.local, not keycloak.devlocal
I0617 08:42:45.336104    5622 round_trippers.go:423] curl -k -v -XGET  -H "Accept: application/json, */*" -H "User-Agent: kubectl/v1.18.3 (darwin/amd64) kubernetes/2e7996e" 'https://192.168.99.100:8443/api?timeout=32s'
I0617 08:42:45.336131    5622 round_trippers.go:423] curl -k -v -XGET  'https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration'
I0617 08:42:45.338656    5622 round_trippers.go:443] GET https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration  in 2 milliseconds
I0617 08:42:45.338665    5622 round_trippers.go:449] Response Headers:
I0617 08:42:45.338671    5622 round_trippers.go:443] GET https://192.168.99.100:8443/api?timeout=32s  in 2 milliseconds
I0617 08:42:45.338674    5622 round_trippers.go:449] Response Headers:
/*see this line ->*I0617 08:42:45.338737    5622 cached_discovery.go:121] skipped caching discovery info due to Get "https://192.168.99.100:8443/api?timeout=32s": Get "https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration": x509: certificate is valid for ingress.local, not keycloak.devlocal
I0617 08:42:45.338751    5622 shortcut.go:89] Error loading discovery information: Get "https://192.168.99.100:8443/api?timeout=32s": Get "https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration": x509: certificate is valid for ingress.local, not keycloak.devlocal

I would greatly appreciate any help on this !

alphara commented 4 years ago

Hi @Bonjour123,

I assume you solve a different problem but try to include IP address 192.168.99.100 to the list of the hosts for issuing a certificate. It would be even more secure to create a subdomain for the IP address, and then you include a subdomain into the lists of hosts.

Bonjour123 commented 4 years ago

Ok, I will surely try. Thanks for the help !

fejta-bot commented 3 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

alphara commented 3 years ago

@Bonjour123,

You need to issue your certificate with CN and hosts set to keycloak.devlocal instead of ingress.local. Also, you may need to have a cert-manager deployed.

fejta-bot commented 3 years ago

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten

fejta-bot commented 3 years ago

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /close

k8s-ci-robot commented 3 years ago

@fejta-bot: Closing this issue.

In response to [this](https://github.com/kubernetes/ingress-nginx/issues/4644#issuecomment-733826252): >Rotten issues close after 30d of inactivity. >Reopen the issue with `/reopen`. >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Send feedback to sig-testing, kubernetes/test-infra and/or [fejta](https://github.com/fejta). >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
Aurorxa commented 1 year ago

https://lusyoe.github.io/2019/06/22/%E8%A7%A3%E5%86%B3harbor-cert-manager%E5%87%BA%E7%8E%B0ingress-nginx-x509-certificate-is-valid-for-ingress-local/

Aurorxa commented 1 year ago

https://lusyoe.github.io/2019/06/22/%E8%A7%A3%E5%86%B3harbor-cert-manager%E5%87%BA%E7%8E%B0ingress-nginx-x509-certificate-is-valid-for-ingress-local/

hmshashank commented 11 months ago

@alphara I am seeing similar Error in my Oauth2-proxy pod:

Error redeeming code during OAuth2 callback: error performing request: Post "https://1-1-4-1.ip.linodeusercontent.com/realms/OAuth2-demo/protocol/openid-connect/token": x509: certificate is valid for ingress.local, not 1-1-4-1.ip.linodeusercontent.com

i wanted to access using http, so dint use any secret, i am not sure which secret is causing the issue here, any idea on this ?

alphara commented 11 months ago

@hmshashank you probably use a secret with self-signed certificate or don't use any. I guess you need to set up a certificate for your domain name instead.

hmshashank commented 11 months ago

@alphara This is my values.yml file,

config:
  clientID: oauth  # Replace with your GitHub OAuth app client ID
  configFile: |
    provider = "keycloak"
    provider_display_name="keycloak"
    scope = "openid"
    login_url="http://keycloak.kind.cluster/auth/realms/OAuth2-proxy/protocol/openid-connect/auth"
    redeem_url="http://keycloak.kind.cluster/auth/realms/OAuth2-proxy/protocol/openid-connect/token"
    validate_url="http://keycloak.kind.cluster/auth/realms/OAuth2-proxy/protocol/openid-connect/userinfo"
    profile_url="http://keycloak.kind.cluster/auth/realms/OAuth2-proxy/protocol/openid-connect/userinfo"
    oidc_issuer_url="http://keycloak.kind.cluster/auth/realms/OAuth2-proxy"
    cookie_secure="false"
    cookie_csrf_per_request="true"
    cookie_csrf_expire="5m"
    # Upstream config
    http_address="0.0.0.0:80"
    email_domains = [ "*" ]  # Replace with [ "example.com" ] to limit access to users with specific email domain
    cookie_domains = [ "1-1-1-1.ip.linodeusercontent.com" ]  # Replace with domain names that the proxy is allowed to redirect to after auth, prepend . for wildcards, i.e. ".example.com"
    whitelist_domains = [ "1-1-1-1.ip.linodeusercontent.com" ]  # Same as above

ingress:
  enabled: true
  path: /oauth2
  pathType: Prefix
  className: nginx
  hosts:
    - 1-1-1-1.ip.linodeusercontent.com

I dint use any certificates here, all my keycloak endpoints are in http, and my ingress annotations for app are also in http .