0

I have an appication that needs client certificate authentication for a particular API. If I try to authenticate using client certificate using the POD or service URL it works fine.

As soon as I try to do that using the nginx ingress URL it stops working resulting in a 502 Error. The ingress logs show:

2020/02/11 13:07:36 [error] 7285#7285: *8030939 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://10.246.226.91:8444/openidm/info/login", host: "sample.domain.com"
2020/02/11 13:07:36 [warn] 7285#7285: *8030939 [lua] sticky.lua:134: balance(): failed to get new upstream; using upstream nil while connecting to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://10.246.226.91:8444/openidm/info/login", host: "sample.domain.com"
2020/02/11 13:07:36 [warn] 7285#7285: *8030939 [lua] balancer.lua:269: balance(): no peer was returned, balancer: sticky_balanced while connecting to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://10.246.226.91:8444/openidm/info/login", host: "sample.domain.com"
2020/02/11 13:07:36 [crit] 7285#7285: *8030939 connect() to 0.0.0.1:80 failed (22: Invalid argument) while connecting to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://0.0.0.1:80/openidm/info/login", host: "sample.domain.com"
2020/02/11 13:07:36 [warn] 7285#7285: *8030939 upstream server temporarily disabled while connecting to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://0.0.0.1:80/openidm/info/login", host: "sample.domain.com"

I tried enabling client certificate authentication on Ingress level but that breaks other APIs that does not require a client certificate authentication.

Is there a way in which Ingress won't try to do a certificate authentication but will pass the certificate to the application so that the application can take care of the certificate authentication.

Rana
  • 41
  • 8
  • That's sounds interesting. I will try to investigate and I let you know. In case you would resolve the issue faster, please let me know. – Nick Feb 12 '20 at 17:56
  • @Nick Any luck ? – Rana Feb 16 '20 at 17:14
  • I haven't found solution yet. Am I right that your app is running on pod inside a cluster? SO you are able to authenticate "internally" by sending a reuest to particular pod or service (which in turn delivers it to proper pods) and only "external" auth failed (when request is sent to Ingress URL ) ? – Nick Mar 02 '20 at 10:13
  • Thats correct Nick – Rana May 13 '20 at 06:24

0 Answers0