Kubernetes ingress controller not able to find the certificate secret

Question

I am setting up a secret containing the certificate for ingress controller but getting the below error when I check the ingress logs

Ingress logs:

W0304 05:47:32.020497       7 controller.go:1153] Error getting SSL certificate "default/auth-tls": local SSL certificate default/auth-tls was not found. Using default certificate
W0304 05:47:32.020516       7 controller.go:1407] Error getting SSL certificate "default/auth-tls": local SSL certificate default/auth-tls was not found
I0304 05:47:32.114777       7 main.go:117] "successfully validated configuration, accepting" ingress="hello-kubernetes-ingress" namespace="default"

Secret:

$ kubectl create secret tls auth-tls --cert key.pem --key out.key
$ kubectl describe secret auth-tls
Name:         auth-tls
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/tls

Data
====
tls.crt:  3231 bytes
tls.key:  1732 bytes

Below is my yaml file for ingress

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: hello-kubernetes-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-url: https://externalauthentication/authorize
spec:
  rules:
  - host: hw1.yourdomain
    http:
      paths:
      - backend:
          serviceName: hello-kubernetes-first
          servicePort: 80
  - host: hw2.yourdomain
    http:
      paths:
      - backend:
          serviceName: hello-kubernetes-second
          servicePort: 80
  tls:
  - hosts:
    - externalauthentication
    - hw1.yourdomain
    secretName: auth-tls

Answer 1

In my case, I used the root certificate instead of the certificate, after the fix everything started working fine

Answer 2

We also experienced this problem in our kubernetes cluster.

We have a setup where the tls certificate is provisioned in a azure key vault and copied to the cluster using akv2k8s.

It turns out that the order of certificates in the kubernetes secret was wrong. In order for this to work the order should be:(from the top of the file to the bottom)

• Leaf
• Intermediary
• Root cert(not mandatory)

If the order of the certificates is not correct the tls key will not be able to verify the public key and kubernetes will not recognise the secret as a valid certificate.

Answer 3

For anyone else experiencing this problem, I just wanted to add my experience from just now. I was getting the same error saying it could not find my TLS cert, which I had added in a different namespace. The problem was that the cert was not defined correctly. I deployed it from my git repo where I have the crt and key values both set to the crt value so that my key is not in the git repo. I forgot to go back and update the secret's key value with the actual key. This misconfiguration for some reason resulted in ingress saying it couldn't find the certificate. It appears to be simply an incorrect error message.

Answer 4

Both the Ingress and the Secret are namespaced resources. You can check yourself with:

$ kubectl api-resources --namespaced=true
NAME                        SHORTNAMES   APIGROUP                    NAMESPACED   KIND
...
secrets                                                              true         Secret
...
ingresses                   ing          extensions                  true         Ingress
ingresses                   ing          networking.k8s.io           true         Ingress

They can only work within their namespace. So in your use case you need to put both of them (Ingress and Secret) in the same namespace.