SSL Certificate added but shows "Kubernetes Ingress controller fake certificate"

Question

I am new to GCP/Cloud, and I have created a cluster in GKE and deployed our application there, installed nginx as a pod in the cluster, our company has a authorized SSL certificate which I have uploaded in Certificates in GCP.

In the DNS Service, I have created an A record which matched the IP of Ingress. When I call the URL in the browser, it still shows that the website is still insecure with message "Kubernetes Ingress controller fake certificate".

I used the following guide https://cloud.google.com/load-balancing/docs/ssl-certificates/self-managed-certs#console_1

However, I am not able to execute step 3 "Associate an SSL certificate with a target proxy", because it asks "URL Maps" and I am not able to find it in the GCP Console.

Has anybody gone through the same issue like me or if anybody helps me out, it would be great.

Answer 1

In my case, i only had the entry for '*.mydomain.io' in the spec.tls.hosts section. I needed to add mydomain.io as well.

kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: mydomain-ingress
spec:
  tls:
    - hosts:
      - '*.mydomain.io'
      - mydomain.io   # this is required
      secretName: secret-mydomain-20240305
  ingressClassName: nginx
  rules:
    - host: '*.mydomain.io'
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: mydomain-frontend
                port:
                  number: 3001
    - host: mydomain.io
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: mydomain-frontend
                port:
                  number: 3001

Answer 2

According to RFC-6521 :

Move away from including and checking strings that look like domain names in the subject's Common Name.

and:

Move toward including and checking DNS domain names via the subjectAlternativeName extension designed for that purpose: dNSName.

So don't forget to check that Subject Alternative Name actually contains the same value the CN contains. If it does not, the certificate might not be valid on some browsers.

Answer 3

You can save your SSL/TLS certificate into the K8s secret and attach it to the ingress.

you need to config the TLS block in ingress, dont forget to add ingress.class details in ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata: 
  name: tls-example-ingress
spec: 
  rules: 
    - host: mydomain.com
      http: 
        paths: 
          - 
            backend: 
              serviceName: my-service
              servicePort: 80
            path: /
  tls: 
    - hosts: 
        - mydomain.com
      secretName: my-tls-secret

You can read more at : https://medium.com/avmconsulting-blog/how-to-secure-applications-on-kubernetes-ssl-tls-certificates-8f7f5751d788

You might be seeing something like this in browser :

that's from the ingress controller and wrong certificate attached to ingress or ingress controller default fake cert.

Answer 4

I was able to fix this problem by adding an extra argument to the ingress-nginx-controller deployment.

For context: my TLS secret was at the default namespace and was named letsencrypt-secret-prod, so I wanted to add this as the default SSL certificate for the Nginx controller.

My first solution was to edit the deployment.yaml of the Nginx controller and add at the end of the containers[0].args list the following line:

- '--default-ssl-certificate=default/letsencrypt-secret-prod'

Which made that section of the yaml look like this:

      containers:
        - name: controller
          image: >-
            k8s.gcr.io/ingress-nginx/controller:v1.2.0-beta.0@sha256:92115f5062568ebbcd450cd2cf9bffdef8df9fc61e7d5868ba8a7c9d773e0961
          args:
            - /nginx-ingress-controller
            - '--publish-service=$(POD_NAMESPACE)/ingress-nginx-controller'
            - '--election-id=ingress-controller-leader'
            - '--controller-class=k8s.io/ingress-nginx'
            - '--ingress-class=nginx'
            - '--configmap=$(POD_NAMESPACE)/ingress-nginx-controller'
            - '--validating-webhook=:8443'
            - '--validating-webhook-certificate=/usr/local/certificates/cert'
            - '--validating-webhook-key=/usr/local/certificates/key'
            - '--default-ssl-certificate=default/letsencrypt-secret-prod'

But I was using the helm chart: ingress-nginx/ingress-nginx, so I wanted this config to be in the values.yaml file of that chart so that I could upgrade it later if necessary.

So reading the values file I replaced the attribute: controller.extraArgs, which looked like this:

  extraArgs: {}

For this:

  extraArgs:
    default-ssl-certificate: default/letsencrypt-secret-prod

This restarted the deployment with the argument in the correct place.

Now I can use ingresses without specifying the tls.secretName for each of them, which is awesome.

Here's an example ingress that is working for me with HTTPS:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: some-ingress-name
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
  rules:
  - http:
      paths:
      - path: /some-prefix
        pathType: Prefix
        backend:
          service:
            name: some-service-name
            port:
              number: 80