Closed voigt closed 3 years ago
@voigt: The label(s) triage/support
cannot be applied, because the repository doesn't have them
What you expected to happen:
An output, similar to environments where we are running 0.24.1 (without)
openssl s_client -connect on a 0.24.1 endpoint
``` $ openssl s_client -connect otherservice.domain.com:443 -servername otherservice.domain.com CONNECTED(00000005) depth=2 DC = com, DC =, DC = ORGPKI, CN = -05 verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:C = IE, ST = , L = , O = , OU = , CN = otherservice.domain.com i:DC = com, DC = , DC = ORGPKI, CN = -01, O = 1 s:DC = com, DC = , DC = ORGPKI, CN = -01, O = i:DC = com, DC = , DC = ORGPKI, CN = -05 2 s:DC = com, DC = , DC = ORGPKI, CN = -05 i:DC = com, DC = , DC = ORGPKI, CN = -05 3 s:DC = com, DC = , DC = ORGPKI, CN = -01, O = i:DC = com, DC = , DC = ORGPKI, CN = -05 --- [...] ``` How to reproduce it:
$ openssl s_client -connect service.domain.com:443 -servername service.domain.com
Anything else we need to know:
We have multiple environments running and only those with the updated version IC
0.40.1
show this behavior.from the Helm-Chart we enabled the following
extraArgs
. Please note, that with 0.24.1 we also enabledenable-dynamic-certificates: "false"
, which does not seem to exist anymore. I'm explicitly pointing that out, as I found issue #4245.enable-ssl-passthrough: "true" enable-ssl-chain-completion: "true"
- Arguments with which the IC is started:
all nginx-ingress-controller arguments used
``` spec: containers: - args: - /nginx-ingress-controller - --default-backend-service=ingress/ingress-nginx-defaultbackend - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - --election-id=ingress-controller-leader - --ingress-class=portal - --configmap=ingress/ingress-nginx-controller - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key - --enable-ssl-chain-completion=true - --enable-ssl-passthrough=true ```
- A sample ingress (redacted) - we make use of
nginx.ingress.kubernetes.io/configuration-snippet
, which hasn't changed after we updated to 0.40.1:Sample Ingress
```yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: ingress.kubernetes.io/force-ssl-redirect: "true" ingress.kubernetes.io/rewrite-target: / kubernetes.io/ingress.class: portal nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "false" nginx.ingress.kubernetes.io/auth-tls-secret: default/casecret nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" nginx.ingress.kubernetes.io/configuration-snippet: | set $allowed 0; if ($ssl_client_i_dn = "CN=,DC= ,DC= ,DC= ") { set $allowed 1; } if ($ssl_client_i_dn = "CN= ,DC= ,DC= ,DC= ") { set $allowed 1; } if ($ssl_client_i_dn = "CN= ,DC= ,DC= ,DC= ") { set $allowed 1; } if ($ssl_client_s_dn = "C= ,O= ,OU= ,CN= ") { set $allowed 1; } if ($allowed != 1) { return 401 $ssl_client_s_dn; } labels: app: service name: service-ingress namespace: default spec: rules: - host: service.domain.com http: paths: - backend: serviceName: service servicePort: 8080 path: / tls: - hosts: - service.domain.com secretName: service.domain.com status: loadBalancer: ingress: - ip: 100.69.155.90 ```
- We use cert-manager
v0.9.1
(I know, pretty old - the upgrade is WIP) to get TLS certificates that are then inserted into our ingress resources. So for the sake of completeness a sample Kubernetes secret as it is used with 0.24.1 and 0.40.1:kubectl get secret service.domain.com -oyaml
```yaml root@4de00908bc18:/# kubectl get secret service.domain.com -oyaml apiVersion: v1 data: ca.crt:tls.crt: kind: Secret metadata: annotations: certmanager.k8s.io/alt-names: service.domain.com certmanager.k8s.io/common-name: service.domain.com certmanager.k8s.io/ip-sans: "" certmanager.k8s.io/issuer-kind: ClusterIssuer certmanager.k8s.io/issuer-name: vault-issuer creationTimestamp: "2019-06-21T08:42:00Z" labels: certmanager.k8s.io/certificate-name: service.domain.com name: service.domain.com namespace: default type: kubernetes.io/tls ```
- Note that TLS secrets, as well as Ingress resources, did not change after the upgrade
I'm a bit puzzled here...
- Why does
--enable-dynamic-certificates=false
not exist anymore in 0.40.1, and can it be related? (#4245)- Is it possible, that the requirements for the certificate format changed with a later version of the IC? Does cert-manager create secrets that the newer IC versions can't deal with?
- And most importantly: how do I get back the full ssl-chain? 😅
- I already tried my luck in the slack channel, so far without any response, that's why I try it here...
Any help kindly appreciated!
/triage support
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
In addition to that, I checked the contents of the ingress controller container, which shows, that the default-service.domain.com-full-chain.pem
doesn't seem to exist in 0.40.1:
Contents in a 0.24.1
container:
www-data@ip-11-220-168-28:/etc/nginx$ ls -lah /etc/ingress-controller/ssl/
total 356K
drwxr-xr-x 1 www-data www-data 4.0K Feb 11 12:22 .
drwxr-xr-x 1 root root 4.0K Apr 13 2019 ..
-rw-r--r-- 1 www-data www-data 61K Feb 14 16:40 ca-default-casecret.pem
-rw-r--r-- 1 www-data www-data 2.2K Feb 14 00:40 default-service.domain.com-full-chain.pem
-rw-r--r-- 1 www-data www-data 12K Feb 14 00:39 default-service.domain.com.pem
Flags set for 0.24.1
:
containers:
- args:
- /nginx-ingress-controller
- --default-backend-service=ingress/ingress-nginx-default-backend
- --election-id=ingress-controller-leader
- --ingress-class=portal
- --configmap=ingress/ingress-nginx-controller
- --enable-dynamic-certificates=false
- --enable-ssl-chain-completion=true
- --enable-ssl-passthrough=true
Contents in a 0.40.1
container:
bash-5.0$ ls -lah /etc/ingress-controller/ssl/
total 224K
drwxr-xr-x 1 www-data www-data 4.0K Feb 12 13:01 .
drwxr-xr-x 1 www-data www-data 4.0K Oct 2 17:57 ..
-rw-r--r-- 1 www-data www-data 60.9K Feb 12 13:02 ca-default-casecret.pem
-rwx------ 1 www-data www-data 7.5K Feb 12 13:02 default-service.domain.com.pem
Flags set for 0.40.1
:
containers:
- args:
- /nginx-ingress-controller
- --default-backend-service=ingress/ingress-nginx-defaultbackend
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-controller-leader
- --ingress-class=portal
- --configmap=ingress/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --enable-ssl-chain-completion=true
- --enable-ssl-passthrough=true
It might be, that I'm on the wrong track, but I have the feeling that --enable-dynamic-certificates=false
is the key point here, as the flag has been removed and dynamic certificates are enabled by default... It would be great if anyone who has more knowledge on that matter could confirm...
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale
I have this promplem
The flag was removed in https://github.com/kubernetes/ingress-nginx/commit/9c6873a55d1db5dd8a6d7ebb7cd24a84fe977146
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/reopen
/remove-lifecycle rotten
Please send feedback to sig-contributor-experience at kubernetes/community.
/close
@k8s-triage-robot: Closing this issue.
Did anybody find out how to get nginx ingress controller to send the ca.crt
from a Ingress TLS secret to the client (i.e. send full chain)?
Same problem here. Any solutions?
I am also not seeing nginx provide the intermediate certificate from my tls.crt. Installed from Helm chart v4.0.12.
Try this:
This works for me while using the certificate as a default
Name: ingress-nginx-controller-7598bb9dbd-7fxkq
Namespace: ingress-nginx
...
Containers:
controller:
...
Args:
/nginx-ingress-controller
--publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
--election-id=ingress-controller-leader
--controller-class=k8s.io/ingress-nginx
--configmap=$(POD_NAMESPACE)/ingress-nginx-controller
--default-ssl-certificate=ingress-nginx/cert
->
* Certificates Information:
Hostname sent for SNI: test.foo.bar
Number of certificates detected: 1
Certificate #0 ( _RSAPublicKey )
SHA1 Fingerprint: 123
Common Name: *.foo.bar
Issuer: Sectigo RSA Domain Validation Secure Server CA
Serial Number: 123
Not Before: 2021-05-31
Not After: 2022-05-31
Public Key Algorithm: _RSAPublicKey
Signature Algorithm: sha256
Key Size: 4096
Exponent: 65537
DNS Subject Alternative Names: ['*.foo.bar']
Certificate #0 - Trust
Hostname Validation: OK - Certificate matches server hostname
Android CA Store (9.0.0_r9): OK - Certificate is trusted
Apple CA Store (iOS 14, iPadOS 14, macOS 11, watchOS 7, and tvOS 14):OK - Certificate is trusted
Java CA Store (jdk-13.0.2): OK - Certificate is trusted
Mozilla CA Store (2021-01-24): OK - Certificate is trusted
Windows CA Store (2021-02-08): OK - Certificate is trusted
Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate
Received Chain: *.foo.bar --> Sectigo RSA Domain Validation Secure Server CA --> USERTrust RSA Certification Authority
Verified Chain: *.foo.bar --> Sectigo RSA Domain Validation Secure Server CA --> USERTrust RSA Certification Authority
Received Chain Contains Anchor: OK - Anchor certificate not sent
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: OK - No SHA1-signed certificate in the verified certificate chain
Certificate #0 - Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: OK - 3 SCTs included
Did anybody find out how to get nginx ingress controller to send the
ca.crt
from a Ingress TLS secret to the client (i.e. send full chain)?
Did you?
NGINX Ingress controller version:
0.40.1
Kubernetes version (use
kubectl version
):1.16.4
Environment:
uname -a
): 5.4.0-1037-awsWhat happened:
Hi, we just recently updated our ingress controllers from
0.24.1
to0.40.1
. So far so good.What we now noticed is, that our intermediate certificates are not any longer part of the ssl-chain on an ssl connect:
openssl s_client -connect on a 0.40.1 endpoint
```bash $ openssl s_client -connect service.domain.com:443 -servername service.domain.com CONNECTED(00000005) depth=0 C = IE, ST = City, L = Country, O = Organisation, OU =What you expected to happen:
An output, similar to environments where we are running 0.24.1 (without)
openssl s_client -connect on a 0.24.1 endpoint
``` $ openssl s_client -connect otherservice.domain.com:443 -servername otherservice.domain.com CONNECTED(00000005) depth=2 DC = com, DC =How to reproduce it:
Anything else we need to know:
We have multiple environments running and only those with the updated version IC
0.40.1
show this behavior.from the Helm-Chart we enabled the following
extraArgs
. Please note, that with 0.24.1 we also enabledenable-dynamic-certificates: "false"
, which does not seem to exist anymore. I'm explicitly pointing that out, as I found issue #4245.all nginx-ingress-controller arguments used
``` spec: containers: - args: - /nginx-ingress-controller - --default-backend-service=ingress/ingress-nginx-defaultbackend - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - --election-id=ingress-controller-leader - --ingress-class=portal - --configmap=ingress/ingress-nginx-controller - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key - --enable-ssl-chain-completion=true - --enable-ssl-passthrough=true ```nginx.ingress.kubernetes.io/configuration-snippet
, which hasn't changed after we updated to 0.40.1:Sample Ingress
```yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: ingress.kubernetes.io/force-ssl-redirect: "true" ingress.kubernetes.io/rewrite-target: / kubernetes.io/ingress.class: portal nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "false" nginx.ingress.kubernetes.io/auth-tls-secret: default/casecret nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" nginx.ingress.kubernetes.io/configuration-snippet: | set $allowed 0; if ($ssl_client_i_dn = "CN=v0.9.1
(I know, pretty old - the upgrade is WIP) to get TLS certificates that are then inserted into our ingress resources. So for the sake of completeness a sample Kubernetes secret as it is used with 0.24.1 and 0.40.1:kubectl get secret service.domain.com -oyaml
```yaml root@4de00908bc18:/# kubectl get secret service.domain.com -oyaml apiVersion: v1 data: ca.crt:I'm a bit puzzled here...
--enable-dynamic-certificates=false
not exist anymore in 0.40.1, and can it be related? (#4245)Any help kindly appreciated!
/triage support