ingress-nginx: Ingress returns wrong certificate for specific http clients

Hi I got a strange phenomena and I am not able to get to the root of the source.

I am using docker-desktop: v1.22.4 and the ingress-nginx-controller with the following config:

containers:
        - name: controller
          image: >-
            k8s.gcr.io/ingress-nginx/controller:v0.41.2@sha256:1f4f402b9c14f3ae92b11ada1dfe9893a88f0faeb0b2f4b903e2c67a0c3bf0de
          args:
            - /nginx-ingress-controller
            - '--publish-service=$(POD_NAMESPACE)/ingress-nginx-controller'
            - '--election-id=ingress-controller-leader'
            - '--ingress-class=nginx'
            - '--configmap=$(POD_NAMESPACE)/ingress-nginx-controller'
            - '--validating-webhook=:8443'
            - '--validating-webhook-certificate=/usr/local/certificates/cert'
            - '--validating-webhook-key=/usr/local/certificates/key'

Under specific circumstances the ingress-controller returns the fake-certificate instead of the configured one. I created the following ingress config:

kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: my-keycloak
spec:
  tls:
    - hosts:
        - my-keycloak
      secretName: my-keycloak-tls-secret
  rules:
    - host: my-keycloak
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: my-keycloak
                port:
                  number: 80

When accessing the url “https://my-keycloak” in the browser the correct certificate is returned:

correct-cert

same result when using openssl:

echo | openssl s_client -showcerts -servername my-keycloak -connect my-keycloak:443 2>/dev/null | openssl x509 -inform pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1639646163 (0x61bb03d3)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = my-keycloak
        Validity
            Not Before: Dec 16 09:16:03 2021 GMT
            Not After : Dec 16 09:16:03 2121 GMT
        Subject: CN = my-keycloak
        Subject Public Key Info:

BUT if I use the java apache http-client to access the page I suddenly get the fake-certificate:

fake-cert-returned

I am struggling with this for a whole day now and cannot figure out what is causing this problem…

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 26 (14 by maintainers)

Most upvoted comments

FYI, we noticed the same issue with openssl 1.0 (working fine with openssl 1.1)
It also makes ssl_verify_client optional_no_ca send a x-client-verify: NONE without the certificate in ssl-client-cert header (while it works fine with openssl 1.1)

+4
nycza on Jan 12, 2022
Read more comments on GitHub
← ingress-nginx: Ingress object is binding to wrong IP address
ingress-nginx: Ingress rule with non-wildcard path does not work →