Reputation: 23
Kubernetes ingress controller cannot find TLS certificate secret
I'm actually trying for a couple of days to setup TLS on my ingress controller. My Kubernetes cluster is hosted on Azure (AKS).
When I check the Ingress controller logs, I get this :
W1104 08:49:29.472478 7 backend_ssl.go:45] Error obtaining X.509 certificate: unexpected error creating SSL Cert: no valid PEM formatted block found
W1104 08:49:29.472595 7 controller.go:1334] Error getting SSL certificate "myapp-test/myapp-tls": local SSL certificate myapp-test/myapp-tls was not found. Using default certificate
W1104 08:49:29.472611 7 controller.go:1334] Error getting SSL certificate "myapp-test/myapp-tls": local SSL certificate myapp-test/myapp-tls was not found. Using default certificate
Here is my myapp-ingress.yml
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: myapp-test
namespace: myapp-test
spec:
ingressClassName: nginx
tls:
- hosts:
- test-app.myapp.io
- test-api.myapp.io
secretName: myapp-tls
rules:
- host: test-app.myapp.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: myapp-frontend
port:
number: 80
- host: test-api.myapp.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: myapp-backend-monolith
port:
number: 80
Here is my Secret.yml
kind: Secret
apiVersion: v1
metadata:
name: myapp-tls
namespace: myapp-test
data:
tls.crt: >-
BASE64 ENCODED CRT FILE CONTENT
tls.key: >-
BASE64 ENCODED KEY FILE CONTENT
type: kubernetes.io/tls
I actully tried to create ingresses and/or secrets in every namespaces. But Ingress controller still can't find SSL certificate.
Upvotes: 2
Views: 3691
Answers (1)
Reputation: 520
based on below error, appears your cert format is not right.
no valid PEM formatted block found
Is your original cert in PEM format? you can decode the cert data in secret and double check, using a command like below (you might need to install jq command, or you can copy the tls.crt data manually and decode it with base64 -d command):
kubectl get secret your-secret-name -n your-namespace -o json | jq '."data"."tls.crt"'| sed 's/"//g'| base64 -d -
below is what I did using a self-signed test cert/key file.
kubectl get secret mytest-ssl-secret -o json
{ "apiVersion": "v1", "data": { "tls.crt": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVGVENDQXYyZ0F3SUJBZ0lVWG12blRrcGtqMlhiQkx...tLS0K", "tls.key": "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQkt...tLS0K" }, "kind": "Secret", "metadata": { "creationTimestamp": "2022-11-05T04:22:12Z", "name": "mytest-ssl-secret", "namespace": "default", "resourceVersion": "2024434", "uid": "d63dce3d-8e5c-478a-be9e-815e59e4bd21" }, "type": "kubernetes.io/tls" }
kubectl get secret mytest-ssl-secret -o json | jq '."data"."tls.crt"'| sed 's/"//g'| base64 -d -
-----BEGIN CERTIFICATE----- MIIEFTCCAv2gAwIBAgIUXmvnTkpkj2XbBLRJo+mpBfp4mvAwDQYJKoZIhvcNAQEL BQAwgZkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdKaWFuZ3N1MQ0wCwYDVQQHDARX dXhpMRowGAYDVQQKDBFUZXN0IGxpbWl0ZWQgSW5jLjELMAkGA1UECwwCSVQxHDAa BgNVBAMME3Rlc3QwMDguZXhhbXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE3Rlc3Qw ... XO8B+zyFRP1PZnCAkeUdvh6rpMbVHWvfM0QOG4m736b9FK1VmjTG4do= -----END CERTIFICATE-----
Upvotes: 2
Related Questions
- Kubernetes ingress controller not able to find the certificate secret
- Kubernetes NGINX Ingress Controller not picking up TLS Certificates
- Kubernetes Ingress Controller Fake Certificate error
- ssl_client_certificate failed 403 forbidden
- Nginx-Ingress not picking up certificate from cert-manager
- k8s Ingress not using TLS cert
- Could not access Kubernetes Ingress
- Kubernetes Ingress - cannot access
- Installing ingress-nginx via Helm - error retrieving secret
- Ingress and cert manager are not creating certificate