Openssl gives Fake Kubernetes Certificate but browser shows correct one

[mrSingh007]

I have configured ssl certificate , which can be confirmed from https. If I goto https://<mydomain>.com , I can see it's no more fake certificate.
BUT
If I do openssl s_client -showcerts -connect <mydomain>.com:443 it returning the 'Kubernetes Ingress Controller Fake Certificate'

NGINX Ingress controller version:

Kubernetes version (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.2", GitCommit:"f5743093fd1c663cb0cbc89748f730662345d44d", GitTreeState:"clean", BuildDate:"2020-09-16T13:41:02Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.2", GitCommit:"f5743093fd1c663cb0cbc89748f730662345d44d", GitTreeState:"clean", BuildDate:"2020-09-16T13:32:58Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
Environment:

• Cloud provider or hardware configuration:
• OS (e.g. from /etc/os-release): Ubuntu 20.04.1 LTS, focal
• Kernel (e.g. uname -a): Linux k8s-master 5.4.0-48-generic fix typo in variable ProxyRealIPCIDR #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

What happened:
only Openssl gives fake certificate back.

What you expected to happen:
browser or Openssl should return same certificate

Ingres rule is:

  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
    nginx.ingress.kubernetes.io/from-to-www-redirect: 'true'
  name: nginx-echo
spec:
  tls:
    - hosts:
      - domain.com
      secretName: domain.com
  rules:
    - host: domain.com
      http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
                name: website-lorem
                port:
                    number: 80

Log:

 6 flags.go:205] Watching for Ingress class: nginx
W1029 22:02:36.331841       6 flags.go:210] Ingresses with an empty class will also be processed by this Ingress controllernginx
W1029 22:02:36.332409       6 flags.go:252] SSL certificate chain completion is disabled (--enable-ssl-chain-completion=false)
W1029 22:02:36.332525       6 client_config.go:552] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I1029 22:02:36.332855       6 main.go:231] Creating API client for https://<ip>:443
I1029 22:02:36.342532       6 main.go:275] Running in Kubernetes cluster version v1.19 (v1.19.2) - git (clean) commit f574309** - platform linux/amd64
I1029 22:02:36.470142       6 main.go:105] SSL fake certificate created /etc/ingress-controller/ssl/default-fake-certificate.pem
I1029 22:02:36.472357       6 main.go:113] Enabling new Ingress features available since Kubernetes v1.18
W1029 22:02:36.476751       6 main.go:125] No IngressClass resource with name nginx found. Only annotation will be used.
I1029 22:02:36.485119       6 ssl.go:528] loading tls certificate from certificate path /usr/local/certificates/cert and key path /usr/local/certificates/key
I1029 22:02:36.544518       6 nginx.go:263] Starting NGINX Ingress controller

/kind bug

[mrSingh007]

One step problem is solved by adding --default-ssl-certificate flag.
Now openssl s_client -showcerts -connect <domain>.com:443 shows the correct certificate but doing
openssl s_client -connect <domain>.com:443 | openssl x509 -noout -subject -issuer gives following error

depth=0 CN = www.<domain>.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = www.<domain>.com
verify error:num=21:unable to verify the first certificate
verify return:1
subject= /CN=www.<domain>.com
issuer= /C=US/O=DigiCert Inc/CN=GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
DONE

[mrSingh007]

Its not a bug. Problem is solved.

1. --default-ssl-certificate flag was not
2. Intermediate certificate was not set

[aakhan1]

How and where do you set this --default-ssl-certificate flag? Could you please provide more details.

[c-p-b]

How and where do you set this --default-ssl-certificate flag? Could you please provide more details.

This appears to be implementation specific. In my case running microk8s I was able to set it by running the following command:

kubectl -n ingress edit daemonset.apps/nginx-ingress-microk8s-controller

Then under args I added it as a new flag (these are supplied when the ingress pod is bootstrapped so it needs to be rebooted. In my case microk8s detected the configuration had been edited and automatically restarted the pod)

    spec:
      containers:
      - args:
        - /nginx-ingress-controller
        - --configmap=$(POD_NAMESPACE)/nginx-load-balancer-microk8s-conf
        - --tcp-services-configmap=$(POD_NAMESPACE)/nginx-ingress-tcp-microk8s-conf
        - --udp-services-configmap=$(POD_NAMESPACE)/nginx-ingress-udp-microk8s-conf
        - --ingress-class=public
        - --default-ssl-certificate=___NAMESPACE_OF_SECRET___/___NAME_OF_SECRET___
        - ' '

[til-schneider]

A better way to set the default-ssl-certificate in microk8s is to do this when enabling the addon (example sets secret tls-secret in the default namespace):

microk8s enable ingress:default-ssl-certificate=default/tls-secret