Reputation: 103
Azure App Service Certificate ssl to AKS ingress
I have bought a WildCard ssl certificate from Azure App Service Certificate. I also have an AKS Cluster. I want to put it in the secret and use in ingress. After purchase it stored secret file in Azure Key Vault. I downloaded it and then imported to create Azure Key Vault Certificate. Then with akv2k8s I created a secret file in my AKS and used it in ingress. After my application threw 'err_cert_authority_invalid' error. Do I do anything wrong ?? There is not so many documentation on ssl and ingress. In many articles, they use 'Lets Encrypt' or 'Cert Manager'.
Upvotes: 0
Views: 2173
Answers (1)
Reputation: 5159
• It can be due to the misinterpretation that the certificate is issued by the staging environment or vice versa. Thus, for that purpose, I would suggest you to please check the ‘stable/wordpress’ helm chart with the ingress annotation 'certmanager.k8s.io/cluster-issuer': 'letsencrypt-staging'. This will result in being issued a certificate from the fake issuer. Thus, even if your certificate is ingressed in your AKS as a secret, it will be shown as being issued from a fake issuer since the chain of certificate hash validation is broken in between. Please find below the curl for that purpose: -
‘ # curl -vkI https://blog.my-domain.com/
...
* Server certificate:
* subject: CN=blog.my-domain.com
* start date: May 13 08:51:13 2019 GMT
* expire date: Aug 11 08:51:13 2019 GMT
* issuer: CN=Fake LE Intermediate X1
... ‘
Then, list the ingresses as follows: -
‘ # kubectl get ing
NAME HOSTS ADDRESS PORTS AGE
blog-wordpress blog.my-domain.com 35.200.214.186 80, 443 8m48s ’
and the certificates too: -
‘ # kubectl get certificates
NAME READY SECRET AGE
wordpress.local-tls True wordpress.local-tls 9m ’
Then, switch the issuer of the certificate to the one that has issued the certificate originally as below: -
‘ # kubectl edit ing blog-wordpress ’
And update the annotation as below: -
‘ certmanager.k8s.io/cluster-issuer: letsencrypt-prod ’
Once the ingress manifest is updated, then the certificate manifest will automatically be updated. To verify it, open the manifest for ‘wordpress.local-tls’ certificate resource as below: -
‘ kubectl edit certificate wordpress.local-tls ’
The issuer will be seen as updated as below: -
‘ kubectl edit certificate wordpress.local-tls ’
Thus, in this way, you will be able to import a certificate secret in AKS. For more details, I would suggest you to please refer the below link for more details: -
https://github.com/vmware-archive/kube-prod-runtime/issues/532
Upvotes: 2
Related Questions
- Reference TLS certificate used by AKS's Ingress from Azure Key Vault
- Kubernetes ingress controller cannot find TLS certificate secret
- Kubernetes Ingress Controller Fake Certificate error
- k8s Ingress not using TLS cert
- AKS with AGIC and Application Gateway
- Enable App Gateway ingress for Azure Kubernetes on 443 (https)
- Https not working for Ingress, CA Root not trusted
- setup ingress on azure k8s
- How to get HTTPS on AKS without ingress
- Cannot apply SSL cert to Kubernetes LoadBalancing Service on Kubernetes