Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

REGRESSION: After upgrading to 0.24.0 fake certificate is used instead of the one specified #4553

Closed
gae123 opened this issue Sep 11, 2019 · 6 comments
Closed

REGRESSION: After upgrading to 0.24.0 fake certificate is used instead of the one specified #4553

gae123 opened this issue Sep 11, 2019 · 6 comments

Comments

@gae123
Copy link

gae123 commented Sep 11, 2019

Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG/REGRESSION

Before upgrade automatically generated nginx.conf contains:

image

After upgrade:
image

NGINX Ingress controller version: 0.24.0 and later

Kubernetes version (use kubectl version):v1.13.7-gke.2

Environment:

  • Cloud provider or hardware configuration: GKE
  • OS (e.g. from /etc/os-release): ubuntu
  • Kernel (e.g. uname -a):
  • Install tools:
  • Others:

What happened:
After upgrade cannot access hosts any more (get the insecure warning), it turns out that SSL certificates are not installed, not present in nginx.conf

What you expected to happen:
a smooth upgrade
@aledbf
Copy link
Member

aledbf commented Sep 11, 2019

Closing. Since 0.24.0 the SSL certificates are configured using lua #3808
This means, you will only see the fake certificate pem in the generated nginx.conf file.

@aledbf aledbf closed this as completed Sep 11, 2019
@gae123
Copy link
Author

gae123 commented Sep 11, 2019
edited
Loading

For now, setting --enable-dynamic-certificates=false seems to fix the issue. I will try to understand what @aledbf's comment means that I need to change in my config.

Any suggestions will be appreciated, this is something that used to work fine since 0.12.0 and suddenly stopped working on this upgrade.

@aledbf
Copy link
Member

aledbf commented Sep 11, 2019

@gae123 what's the issue exactly? If you have an issue, please post the ingress controller pod logs

For now, setting --enable-dynamic-certificates=false seems to fix the issue. I

This flag is being removed in the next release (0.26)

@gae123
Copy link
Author

gae123 commented Sep 11, 2019
edited
Loading

It turns out we have code that post edits nginx.conf adding additional server_names matched with a regular expression. So if the server name is foo.bar.com we can also match *-foo.bar.com Unfortunately, there is no cleaner way to currently handle this (see here for discussion).

All that breaks with "dynamic certificates"...

Please do not remove "--enable-dynamic-certificates=false" until this gets addressed somehow.

@aledbf
Copy link
Member

aledbf commented Sep 11, 2019

Please do not remove "--enable-dynamic-certificates=false" until this gets addressed somehow.

Flag already removed #4356

@aledbf
Copy link
Member

aledbf commented Sep 11, 2019
edited
Loading

All that breaks with "dynamic certificates"...

Please open an issue describing exactly what are you doing.

So if the server name is foo.bar.com we can also match *-foo.bar.com Unfortunately, there is no cleaner way to currently handle this (see here for discussion).

We also added support for multiple aliases #4472

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aledbf @gae123