Ingress controller is not getting updated with tls certificates

[40107854]

Hello team,

We have seen a problem as ssl cert of nginx ingress controller got expired recently and we renewed the ssl cert and deleted the existing tls secret and created the new tls secret . But the ingress controller is not accepting the tls certificate. Attaching the logfile here. Our Architecture is we have 1. Micro frontends and 2. Micro backends and 3. App Service (UI) & 4. Azure APIM (Api's).

Micro front ends and backend microservices in AKS cluster (not private) in different name spaces and both have different ssl certs. request flow is from internet request goes to AppGW (App service listens) --> AKS AppGW (micro front end listens) --> Azure APIM (Api) --> Ingress Controller (Backend Micro services) --> Cosmos DB.

Previously everything working fine, after ssl cert expired recently and we got new ssl cert and i have created the new tls secret (with same old secret name, deleted and created new ). But this time its not working.

I see that there is no problem with the frontend or backend pods, i checked the logs. ingress-controller.log

below is the ingress controller deployment yaml. ingress-controller.log

Please edit the object below. Lines beginning with a '#' will be ignored,

and an empty file will abort the edit. If an error occurs while saving this file will be

reopened with the relevant failures.

# apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "3" meta.helm.sh/release-name: ingress-nginx meta.helm.sh/release-namespace: ingress-basic creationTimestamp: "2022-12-21T12:08:18Z" generation: 3 labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.5.1 helm.sh/chart: ingress-nginx-4.4.0 name: ingress-nginx-controller namespace: ingress-basic resourceVersion: "190221415" uid: f47d5957-298c-4d54-81d8-ed27866c3c80 spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% type: RollingUpdate template: metadata: creationTimestamp: null labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx spec: containers:

• args:
  • /nginx-ingress-controller
  • --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
  • --election-id=ingress-nginx-leader
  • --controller-class=k8s.io/ingress-nginx
  • --ingress-class=nginx
  • --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
  • --validating-webhook=:8443
  • --validating-webhook-certificate=/usr/local/certificates/cert
  • --validating-webhook-key=/usr/local/certificates/key env:
  • name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name
  • name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace
  • name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so image: registry.k8s.io/ingress-nginx/controller:v1.0.0-alpha.2@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command:
    • /wait-shutdown livenessProbe: failureThreshold: 5 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 name: controller ports:
  • containerPort: 80 name: http protocol: TCP
  • containerPort: 443 name: https protocol: TCP
  • containerPort: 8443 name: webhook protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: requests: cpu: 100m memory: 90Mi securityContext: allowPrivilegeEscalation: false capabilities: add:
    • NET_BIND_SERVICE drop:
    • ALL runAsUser: 101 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts:
  • mountPath: /usr/local/certificates/ name: webhook-cert readOnly: true dnsPolicy: ClusterFirst nodeSelector: kubernetes.io/os: linux restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: ingress-nginx serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 300 volumes:
• name: webhook-cert secret: defaultMode: 420 secretName: ingress-nginx-admission status: availableReplicas: 1 conditions:
  • lastTransitionTime: "2022-12-21T12:10:55Z" lastUpdateTime: "2022-12-21T12:10:55Z" message: Deployment has minimum availability. reason: MinimumReplicasAvailable status: "True" type: Available
  • lastTransitionTime: "2022-12-21T12:08:18Z" lastUpdateTime: "2022-12-22T01:10:11Z" message: ReplicaSet "ingress-nginx-controller-759486695d" has successfully progressed. reason: NewReplicaSetAvailable status: "True" type: Progressing observedGeneration: 3 readyReplicas: 1 replicas: 1 updatedReplicas: 1

Initially i used helm chart to deployed ingress controller followed this link. https://learn.microsoft.com/en-us/azure/aks/ingress-basic?tabs=azure-cli. ut after that i have seen nginx version compatibility to kubernetes version in the link https://github.com/kubernetes/ingress-nginx & https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/

and i have update the image version v1.5.1 to v1.0.0-alpha.2 as our aks kubernetes version is 1.22.15.

The command i used to create kubernetes secret is below

kubectl create secret tls --cert --key -n

ingress-controller.log

please check and help us asap, its production cluster we are facing issues with from 1 week.

[k8s-ci-robot]

@40107854: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[longwuyuan]

The obvious reasons new TLS may not work is ;

• cn/alt-subject not matching host header
• expired cert
• misconfigured secret name
• secret in wrong namespace
• hostname in https request not matching the hostname in ingress
• misconfigured dns
• etc etc

Post the information that has relevance to the HTTPS request like ;

• complete and exact curl request with -v
• logs of the ingress-nginx-controller pod
• kubectl describe output of ingress
• kubectl describe output of secret for tls
• proof that the cn/subject-alt matches the hostname header in request using openssl s_client -connect
• any other such related info

[longwuyuan]

Probelm happened 2 years ago and there is no update so closing the issue.

/close

[k8s-ci-robot]

@longwuyuan: Closing this issue.

In response to [this](https://github.com/kubernetes/ingress-nginx/issues/9438#issuecomment-2337506088): >Probelm happened 2 years ago and there is no update so closing the issue. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.