ingress-nginx: Error generating CA certificate chain
BUG REPORT:
--enable-ssl-chain-completion don’t respect ingress annotation kubernetes.io/ingress.class
NGINX Ingress controller version: 0.19.0
Kubernetes version (use kubectl version):
v1.11.2
Environment:
- Cloud provider or hardware configuration: vSphere
- OS (e.g. from /etc/os-release): rancherOS
- Kernel (e.g.
uname -a): Linux pws2 4.14.67-rancher2 - Install tools: Rancher 2.0.8
- Others:
What happened:
I have multiple ingress controllers configured with different --ingress-class and ingress resource with kubernetes.io/ingress.class annotation. But all controllers trying to check certificate chain for certificate referenced in that ingress resource.
I found this message in logs of each controller:
backend_ssl.go:161] Error generating CA certificate chain for Secret "mynamespace/mysecret": Invalid certificate.
where secret mynamespace/mysecret referenced only in one ingress with specified kubernetes.io/ingress.class annotation.
What you expected to happen:
Error message must appears only in controller’s log specified with kubernetes.io/ingress.class annotation.
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 4
- Comments: 35 (2 by maintainers)
/remove-lifecycle rotten
Here we face the issue of having a certificate without the certificate authority running on a Kubernetes. We did following steps:
We had a similar experience turning it off, but I also didn’t pay attention to or dig in to find the side effects of leaving it disabled.
We had to re-enable chain completion due to some additional requirements and used your Dockerfile snippet above and haven’t seen any errors in our logs (other than ingress rules with typo’d secret names or the like).
I’ll take a look at the Dockerfile in question and see if there was anything different we did that would resolve the errors.
Do we have an ETA on this ?
+1 same here. works fine, just getting the error