-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ACME challenge fails with nginx.ingress.kubernetes.io/permanent-redirect
#11315
Comments
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
nginx.ingress.kubernetes.io/permanent-redirect
nginx.ingress.kubernetes.io/permanent-redirect
/remove-kind bug |
The question is still if the redirect is expected behavior and as others said in the linked issue, they expect different behavior, as well as I do, so I just think it's a bug.
Yeah, sry, force of habit to empty the template on issue creation. I think the issue is general and not a specific version bug, but again could be layer 8 here.
Done that. @longwuyuan Can you or some of your team just try the minimal configuration? I think it could be fastly discovered that the given behaviour exist in newer kubernetes/ingress configuration... |
Thanks for the info. Your thought process is a bit clearer now, but in my opinion, its not super helpful for all readers. Just my opinion and others will opine differently. Basically the info that helps readers is ;
Redacted info also works as there is some insight on the state of the resources and the log of the events. But since its redirection issue, it helps if you cognitively replace FQDNs as appropriate with real behaviour, so context is retained without the real-hostname used. I am assuming that you want to use |
@longwuyuan Thanks for you feedback
Exactly, this was already requested in #6853:
A workaround was suggested by @danton721
nginx.ingress.kubernetes.io/server-snippet: |
if ($request_uri !~* ^/.well-known) {
return 301 $scheme://my.site.com$request_uri;
} AFAIK, without this, for HTTPS, there can not be created a valid certificate, so browsers will not redirect traffic when accessing I would consider this a "bug" if the user has to use the |
ok. that info is helpful. Can you explain this paradox that first you create a ingress with a specific hostname. And then instead of routing traffic to a backend pod behind that FQDN, you want to do seemingly contradictory things simultaneously on that rule being matched. Why generate a certificate for a FQDN when you are going to permanently-redirect from there with a 30X response. |
That is a valid question (I will try a solution by DNS later on, but I think this will not work):
Does that clarify our case? As long as there is not valid certificate for the "main" domain But if you ask yourself why we want this, shouldn't you ask yourself why the It seems like you question the very existence of the annotation you maintain... |
Thanks for the information. Its very helpful in understanding your use case.
Please wait for comments from otners. Maybe someone has a practical solution to selectively do redirection |
Thanks for acknowledgement.
Fair point, I wouldn't expect this to have a Prio... @longwuyuan Can we maybe hint that |
The summary is ;
|
/remove-triage needs-information |
@renepupil Disabling You said
This is not a fair assumption because cert-manager may have removed the ingress by the time you tested this after the failed acme challenge. If cert-manager has already removed the acme challenge ingress due to failures, only the redirect ingress remains so of course the acme challenge url would redirect to foo.com. It's interesting that the error mentions Have you confirmed that the acme challenge actually hits your corporate website? |
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: redirect-to-another
namespace: our-redirects
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
acme.cert-manager.io/http01-ingress-class: nginx
acme.cert-manager.io/http01-edit-in-place: "false"
nginx.ingress.kubernetes.io/permanent-redirect: https://another-domain.ch
nginx.ingress.kubernetes.io/from-to-www-redirect: "false"
spec:
ingressClassName: nginx
tls:
- hosts:
- our-domain.ch
secretName: ingress-cert
rules:
- host: our-domain.ch So, we found out that our WAF was blocking the acme challenge cause Let's encrypt uses google services that we now allow. The ingress has an event, that the certificate could get created successfully:
But when calling
Maybe it's the wildcard in the certificate, but I would have expected the certificate creation to create a certificate that works without subdomain... @rouke-broersma Any idea what the problem could be? |
What happened:
Error:
Error accepting authorization: acme: authorization error for our-domain.ch: 403 urn:ietf:params:acme:error:unauthorized: During secondary validation: <ip>: Invalid response from http://our-domain.ch/.well-known/acme-challenge/NoqmY7zPrO4y7EQB9r6gmlgQUMXFJg9GNtum9FgYn8s: 403
What you expected to happen:
I would expect the ingress to configure nginx in such a way that it doesn't redirect on accessing
http://our-domain.ch/.well-known/acme-challenge/NoqmY7zPrO4y7EQB9r6gmlgQUMXFJg9GNtum9FgYn8s
, but this case is handled specially, so that the acme challenge is successful...This
http://our-domain.ch/.well-known/acme-challenge/NoqmY7zPrO4y7EQB9r6gmlgQUMXFJg9GNtum9FgYn8s
redirects tohttps://foo.com
after the failed acme challenge, but likely also during the acme challenge.As we are on a managed kubernetes cluster, I can not take a look at the created nginx config, or the
cluster-issuer
configuration, but I strongly suggest this problem lays in the wrong handling of thepermanent-redirect
by the ingress nginx, as other certificates in our cluster are created without problem.NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):
Kubernetes version (use
kubectl version
):Environment:
Cloud provider or hardware configuration: not sure if I can give that
OS (e.g. from /etc/os-release): my local system
Kernel (e.g.
uname -a
): 22.04.4 LTS (Jammy Jellyfish)Install tools: managed, don't know
Basic cluster related info:
kubectl version
: See abovekubectl get nodes -o wide
: Can not give that because of IPs.How was the ingress-nginx-controller installed: Probably helm, don't know.
Current State of the controller: Not sure, if I'm allowed to share this info.
Current state of ingress object, if applicable: Not sure, if I'm allowed to share this info.
Others:
How to reproduce this issue:
Apply a minimal ingress like this:
Is there something wrong with the configuration?
The text was updated successfully, but these errors were encountered: