cert-manager: Problem With Certification with Nginx

Describe the bug: nginx-ingress is not able to load the certification generated by cert-manger.

Events:
  Type     Reason                   Age                 From                      Message
  ----     ------                   ----                ----                      -------
  Warning  AddedOrUpdatedWithError  17m (x3 over 130m)  nginx-ingress-controller  Configuration for default/nginx-ing was added or updated, but not applied: Error reloading NGINX for default/nginx-ing: nginx reload failed: Command /usr/sbin/nginx -s reload stdout: ""
stderr: "nginx: [emerg] cannot load certificate \"/etc/nginx/secrets/default-MY-DOMAIN-tls\": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)\n"
finished with error: exit status 1
  Normal   AddedOrUpdated    11m  nginx-ingress-controller  Configuration for default/nginx-ing was added or updated
  Warning  UpdatedWithError  11m  nginx-ingress-controller  Configuration for default/nginx-ing was updated but was not applied: Error when updating config from ConfigMap: nginx reload failed: Command /usr/sbin/nginx -s reload stdout: ""
stderr: "nginx: [emerg] cannot load certificate \"/etc/nginx/secrets/default-MY-DOMAIN-tls\": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)\n"
finished with error: exit status 1

The ingress configuration is :

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: nginx
    nginx.org/location-snippets: include /etc/nginx/custom-snippets/cors.conf;
    nginx.org/server-snippets: gzip on;
    nginx.org/websocket-services: altreze-xwindows-ws
  name: xwin-ing
  namespace: default
spec:
  rules:
  - host: MY-DNS
    http:
      paths:
      - backend:
          serviceName: altreze-xwindows
          servicePort: 5901
        path: /
      - backend:
          serviceName: altreze-xwindows-ws
          servicePort: 5900
        path: /websockify
  tls:
  - hosts:
    - MY-DNS
    secretName: MY-DNS-tls

Expected behaviour: A concise description of what you expected to happen.

Steps to reproduce the bug:

  • A working nginincnginx-ingress deployment
  • A working cert-manger

Environment details::

  • Kubernetes version (v1.17.0) baremetal;
  • cert-manager version (0.14.0):
  • ngininc nginx/nginx-ingress:1.6.3;

/kind bug

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 2
  • Comments: 25 (3 by maintainers)

Most upvoted comments

I have the same issue running kubernetes with AWS EKS and using cert manager to create the cert for nginx ingress. Would be great if I could get any help. Here is the error:

INX when updating Secret: nginx reload failed: Command /usr/sbin/nginx -s reload stdout: “” stderr: “nginx: [emerg] cannot load certificate "/etc/nginx/secrets/default-letsencrypt2-production": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)\n”

+3
domfaber on Apr 27, 2020
Read more comments on GitHub
← cert-manager: Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": context deadline exceeded
cert-manager: problem with kubernetes v 1.19 challange get 404 expected 200 →