1

  1. I have created a brand new K8S cluster

  2. I have created the Ingress nginx controller.

  3. The controller created a namespace with all of the required Pods, Svcs and etc.

  4. I have created an Ingress object that routes the traffic to a Deployment service with TLS enabled.

  5. I have created a cluster issuer object.

  6. When inspecting the kubectl describe cert everything okay and ready.

  7. When inspecting the kubectl describe clusterissuer, as well.

  8. When doing curl https://example.com/ it returns the following error:

    curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html

    curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

Without SSL, the access is enabled from outside and works properly, when adding back the SSL configuration in the Ingress object, it fails again.

ingress.yaml:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: minimal-ingress
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
  tls:
  - hosts:
    - k8s-poc.example.com
    secretName: echo-tls
  rules:
    - host: k8s-poc.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: test-svc
                port: 
                  number: 3333

test-depl.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-depl
  labels:
    app: test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test
  template:
    metadata:
      labels:
        app: test
    spec:
      containers:
      - name: test
        image: mydockeruser/test:42
        ports:
        - containerPort: 3333
      imagePullSecrets:
      - name: docker-regcred
      terminationGracePeriodSeconds: 30
---
apiVersion: v1
kind: Service
metadata:
  name: test-svc
spec:
  selector:
    app: test
  ports:
    - name: http
      protocol: TCP
      port: 3333
      targetPort: 3333

prod-issuer.yaml:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: my@email.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: nginx
Raz Buchnik
  • 7,753
  • 14
  • 53
  • 96
  • 1
    Make sure you are using latest certmanager; that `openssl s_client -servername k8s-poc.example.com -connect k8s-poc.example.com:443` returns correct certificate; and also try to curl from other machine. – Matt Mar 11 '21 at 14:28
  • In addition to what Matt said... As far as I know, you also can't request a certificate for example.com, or it's subdomains as you don't own it. So if you were actually using your own domain you should mention that. – Gerry Mar 18 '21 at 19:26
  • try adding the ingress annotation : `kubernetes.io/ingress.class: "nginx"` also i hope you have added the ingress loadbalancer IP to DNS – Harsh Manvar Apr 30 '21 at 04:12

0 Answers0