Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing SSL certificate roots #94

Closed
3dbrows opened this issue Aug 17, 2018 · 2 comments
Closed

Missing SSL certificate roots #94

3dbrows opened this issue Aug 17, 2018 · 2 comments

Comments

@3dbrows
Copy link

3dbrows commented Aug 17, 2018
edited
Loading

The following error can be seen in the ingress-controller container logs every minute when you have an Ingress definition using a TLS secret (in my case a cert from Let's Encrypt):

backend_ssl.go:153] unexpected error generating SSL certificate with full intermediate chain CA certs: x509: failed to load system roots and no roots provided

The line of code in question is this one.

This is because the Debian base image used by the ingress-controller image doesn't ship with root CA certs, so it can't verify the full chain.

We can work around this by starting the ingress-controller container with a command like:

sh -c apt-get update && apt-get install -y ca-certificates && /kong-ingress-controller <options...>

But it would probably be nicer to do something like this in the Dockerfile:

apt-get update && apt-get install -y ca-certificates

I am using the Kong Ingress controller snis-fix branch.

A similar fix might be needed in the kong:0.X-centos7 Dockerfiles, by the way, but not the Alpine ones, because they already include apk add ca-certificates.
@3dbrows 3dbrows mentioned this issue Aug 17, 2018
Closed
@hbagdi hbagdi mentioned this issue Aug 17, 2018
Merged
hbagdi added a commit that referenced this issue Aug 17, 2018
@hbagdi
chore(docker) install ca-certificates package
120f674 
The ingress controller verifies TLS certs before using them.
See #94
@hbagdi
Copy link
Member

hbagdi commented Aug 17, 2018

Hi @Dag24,

Thank you for reporting this issue.
I've opened up #95, which should fix this issue.

hbagdi added a commit that referenced this issue Aug 17, 2018
@hbagdi
chore(docker) install ca-certificates package
9cca300 
The ingress controller verifies TLS certs before using them.
See #94 

From #95
@3dbrows
Copy link
Author

3dbrows commented Aug 20, 2018

This is fixed in 0.1.0, thank you!

@3dbrows 3dbrows closed this as completed Aug 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hbagdi @3dbrows