serving: Serving with autoTLS and auto redirect to HTTPS does not work

What version of Knative?

1.1

Expected Behavior

When a new service is deployed, service URL should be served in HTTP and once HTTPS certificate validation is done, HTTPS and auto redirect to HTTPS should be enabled.

Actual Behavior

When autoTLS with auto redirect to HTTPS is enabled, the service does not work because before autoTLS verification could be done, auto redirect redirects all requests to HTTPS which does not work because verification for the HTTPS is not yet done. The service does not become active and certificate validation goes in a infinite loop and it also hits lets-encrypt rate limit.

Steps to Reproduce the Problem

The following Knative deployment is done on DigitalOcean Managed Kubernetes cluster The Domain DNS records are present in DigitalOcean domains

1. Install Knative serving using yaml

kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.1.0/serving-crds.yaml
kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.1.0/serving-core.yaml

2. Install Kourier network layer

kubectl apply -f https://github.com/knative/net-kourier/releases/download/knative-v1.1.0/kourier.yaml

kubectl patch configmap/config-network \
  --namespace knative-serving \
  --type merge \
  --patch '{"data":{"ingress-class":"kourier.ingress.networking.knative.dev"}}'

kubectl --namespace kourier-system get service kourier

3. Direct Knative to use the domain

kubectl patch configmap/config-domain \
  --namespace knative-serving \
  --type merge \
  --patch '{"data":{"test.voiceintern.com":""}}'

4. Enabling TLS with HTTP01

kubectl apply -f https://github.com/knative/net-http01/releases/download/knative-v1.1.0/release.yaml

kubectl patch configmap/config-network \
  --namespace knative-serving \
  --type merge \
  --patch '{"data":{"certificate-class":"net-http01.certificate.networking.knative.dev", "auto-tls":"Enabled", "http-protocol":  "redirected"}}'

5. Deploying sample app and testing

kn service create hello \
  --image gcr.io/knative-samples/helloworld-go \
  --port 8080 \
  --env TARGET=World \
  --revision-name=world

After this step, the output is always

$ kn services list -A
NAMESPACE   NAME    URL                                          LATEST        AGE   CONDITIONS   READY     REASON
default     hello   https://hello.default.test.voiceintern.com   hello-world   10m   1 OK / 3     Unknown   CertificateNotReady : Certificate route-139798f4-02d6-42b9-b7a0-5fdf596dbe5a is not ready.

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Reactions: 1
  • Comments: 19 (7 by maintainers)

Most upvoted comments

FYI - @dprotaso @ReToCode As per totday’s Serving Meeting Notes, net-http01 might be deprecated in the future. But this issue is a net-http01 and I think it is still active.

+1
nak3 on Nov 16, 2023

/triage accepted

+1
dprotaso on Nov 15, 2022

/lifecycle frozen

+1
dprotaso on Nov 15, 2022
Read more comments on GitHub
← serving: Service getting scaled down on Timeout before Timeout?
serving: SinkBinding doesn't work with KServices that uses BYO revision names →