Closed Venthe closed 2 years ago
@Venthe: This issue is currently awaiting triage.
If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
Certificates validated via openssl verify -CAfile ./ca.crt int.crt
CA cert is from the K8s cluster. Cluster is ephemeral as of now, so no harm in giving real certs
As it turns out, the problem lied in the public key part of the intermediate CA being 512 bits -> when it should be at least 2048. In essence, default configuration hid the problem of SECLEVEL=2. To actually find the reason, I had to install ingress-nginx from the ingress itself, wherein I got 'ca key too small'
192.168.0.105 - - [11/Feb/2022:21:12:50 +0000] "GET / HTTP/1.1" 308 164 "-" "curl/7.68.0" 81 0.000 [jenkins-jenkins-80] [] - - - - 50f6b627bc07e35779d63e3d9c6ca3f6
2022/02/11 21:12:56 [error] 49#49: *5483907 [lua] certificate.lua:259: call(): failed to set DER cert: SSL_add0_chain_cert() failed, context: ssl_certificate_by_lua*, client: 192.168.0.105, server: 0.0.0.0:443
/remove-kind bug Does your last message mean this is resolved. If yes, then consider closing the issue. Thank you for updating the resolution.
Not really, because ingress-ngings/kubernetes is incapable of telling me what's the problem. Either way, closing
Hello @Venthe , I have exactly the same problem, do you have any update to fix this problem ?
2022/10/02 14:40:10 [error] 29#29: *542 [lua] certificate.lua:263: call(): failed to set DER private key: d2i_PrivateKey_bio() failed, context: ssl_certificate_by_lua*, client: 10.65.52.35, server: 0.0.0.0:443
24
2022/10/02 14:40:10 [alert] 22#22: worker process 29 exited on signal 7 (core dumped)
➜ ~ openssl s_client -connect XXX:443 -prexit
CONNECTED(00000005)
0071125DF87F0000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1584:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 323 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 323 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Thank you!
@naofel1 in my case it was cert that was encrypted below 2048. I've used alternative nginx ingress provider, and it has showed me this info in logs
Try cert with at least 2048 (or 4096?) Bits
@Venthe Oh ok very interesting, I was using bitnami Nginx ingress controller. I just now try to switch to Nginx ingress from Kubernetes and the problem disappears. I think there is a problem with previous Nginx version.
Thank you, for your fast response!
NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):
NGINX Ingress controller Release: v1.1.1 Build: a17181e43ec85534a6fea968d95d019c5a4bc8cf Repository: https://github.com/kubernetes/ingress-nginx nginx version: nginx/1.19.9
Kubernetes version (use
kubectl version
): Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.3", GitCommit:"816c97ab8cff8a1c72eccca1026f7820e93e0d25", GitTreeState:"clean", BuildDate:"2022-01-25T21:19:12Z", GoVersion:"go1.17.6", Compiler:"gc", Platform:"linux/amd64"}Environment:
Cloud provider or hardware configuration:
OS (e.g. from /etc/os-release): Debian GNU/Linux 11 (bullseye)
Kernel (e.g.
uname -a
): Linux truenas.local 5.10.70+truenas #1 SMP Mon Nov 22 21:32:24 UTC 2021 x86_64 GNU/LinuxInstall tools:
Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc.
Basic cluster related info:
kubectl version
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.1", GitCommit:"86ec240af8cbd1b60bcc4c03c20da9b98005b92e", GitTreeState:"clean", BuildDate:"2021-12-16T11:41:01Z", GoVersion:"go1.17.5", Compiler:"gc", Platform:"linux/amd64"}kubectl get nodes -o wide
truenas Ready control-plane,master 4d21h v1.23.3 192.168.0.105How was the ingress-nginx-controller installed:
Others:
cert-manager cert-manager 1 2022-02-09 03:17:10.314664758 +0100 CET deployed cert-manager-v1.7.1 v1.7.1
What happened:
When supplied with certificates, ingress cannot serve them with error
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
What you expected to happen:
Certificate chain is provided