Reputation: 3579
Unable to SSL Pass through Ingress Nginx Controller
I have a Java Spring Boot Application and I have configured the server to run on SSL and it is mandatory.
server:
port: 8443
ssl:
enabled: true
key-store-type: pkcs12
key-store: ${KEYSTORE}
key-password: ${KEYSTORE_PASSWORD}
key-store-password: ${KEYSTORE_PASSWORD}
client-auth: need
I have created a cert for my domain *.kahootali.com from LetsEncrypt certificate and created a p12 file for the keystore by running
openssl pkcs12 -export -CAfile ca.crt -in cert.pem -inkey key.pem -certfile cert.pem -out kstore.p12
I want to expose it on Kubernetes using Ingress Nginx Controller, so I have created secret by
kubectl create secret generic store --from-file=kstore.p12
I have deployed application, can see the deployment files, and when I port-forward local 8443 to its service's 8443 and run
curl -iv --cacert ca.crt --cert mediator_cert.pem --key mediator_key.pem --resolve 'spring-app.kahootali.com:8443:127.0.0.1' https://spring-app.kahootali.com:8443/
It works fine and returns
* Added spring-app.kahootali.com:8444:127.0.0.1 to DNS cache
* Hostname spring-app.kahootali.com was found in DNS cache
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to spring-app.kahootali.com (127.0.0.1) port 8444 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: ca.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=*.kahootali.com
* start date: Feb 11 10:27:47 2021 GMT
* expire date: May 12 10:27:47 2021 GMT
* subjectAltName: host "spring-app.kahootali.com" matched cert's "*.kahootali.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: spring-app.kahootali.com:8444
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 404
HTTP/1.1 404
< X-Application-Context: application:8443
X-Application-Context: application:8443
< Content-Type: application/json;charset=UTF-8
Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< Date: Sun, 14 Feb 2021 14:29:47 GMT
Date: Sun, 14 Feb 2021 14:29:47 GMT
<
* Connection #0 to host spring-app.kahootali.com left intact
{"timestamp":1613312987350,"status":404,"error":"Not Found","message":"No message available","path":"/"}
But when I create an Ingress for it and ssl-passthrough it
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: spring-monitoring-app
labels:
app: spring-monitoring-app
annotations:
ingress.kubernetes.io/force-ssl-redirect: "true"
ingress.kubernetes.io/rewrite-target: /
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
rules:
- host: spring-app.kahootali.com
http:
paths:
- path: /
backend:
serviceName: spring-monitoring-app
servicePort: http
tls:
- hosts:
- spring-app.kahootali.com
secretName: tls-cert
It gives ERR_BAD_SSL_CLIENT_AUTH_CERT on browser and in app Debug level logs, it gives
Error during SSL handshake
java.io.IOException: EOF during handshake.
The SNI host name extracted for this connection was [spring-app.kahootali.com]
Handshake failed during wrap
javax.net.ssl.SSLHandshakeException: Empty server certificate chain
Upvotes: 4
Views: 3270
Answers (1)
Reputation: 11098
I'm posting my comment as an answer for better visibility:
As per the docs SSL Passthrough feature is disabled by default. In order to enable it you need to start your nginx-ingress controller with --enable-ssl-passthrough flag. Make sure you didn't forget about it.
You may also take a look at this troubleshooting steps to verify your nginx-ingress controller configuration.
Please let me know if it helps.
Upvotes: 5
Related Questions
- Kubernetes NGINX Ingress Controller not picking up TLS Certificates
- ssl_client_certificate failed 403 forbidden
- Kubernetes Load Balancer Oracle Cloud NGINX ingress controller problem
- Https connection refused, using ingress-nginx
- Https not working locally for ingress on my kubernetes cluster
- Configuring end to end SSL using Nginx Ingress controller
- SSL passthrough not being configured for ingress-nginx backend
- Nginx ingress controller still redirect to SSL
- Kubernetes https ingress 400 response
- Kubernetes: Nginx Ingress Annotation ----> nginx.ingress.kubernetes.io/secure-backends