Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Self-signing issuer certificates not working with Nginx #779

Closed
aelbarkani opened this issue Jul 28, 2018 · 3 comments · Fixed by #811
Closed

Self-signing issuer certificates not working with Nginx #779

aelbarkani opened this issue Jul 28, 2018 · 3 comments · Fixed by #811
Assignees
@munnerz
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone
v0.4

Comments

@aelbarkani
Copy link

aelbarkani commented Jul 28, 2018
edited
Loading

Is this a BUG REPORT or FEATURE REQUEST?:

/kind bug

What happened: Certificates generated by the self-signing issuer don't work with Nginx and Nginx Ingress Controller. Here are the logs from the Nginx Ingress Controller:

2018/07/28 19:23:00 [emerg] 1#1: PEM_read_bio_X509("/etc/ingress-controller/ssl/default-tls.pem") failed (SSL:)
nginx: [emerg] PEM_read_bio_X509("/etc/ingress-controller/ssl/default-tls.pem") failed (SSL:)
nginx: configuration file /etc/nginx/nginx.conf test failed

What you expected to happen:
The self signed certificate to work with Nginx.

How to reproduce it (as minimally and precisely as possible):

  • Generate a certificate with the self-signing ClusterIssuer
  • Use the generated secret as TLS secret in an Nginx Ingress

Anything else we need to know?:
The problem seems to come from the fact that the cert manger tries to bundle the CA with the certificate, even if the certificate is self-signed. The result is an empty CA certificate, like this one:

-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXX....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

When I tried to remove the empty certificate and tested it manually with an Nginx instance, then it worked:

 -----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXX....
 -----END CERTIFICATE-----

Environment:

  • Kubernetes version (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.1", GitCommit:"b1b29978270dc22fecc592ac55d903350454310a", GitTreeState:"clean", BuildDate:"2018-07-17T18:53:20Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"9+", GitVersion:"v1.9.7-gke.3", GitCommit:"9b5b719c5f295c99de68ffb5b63101b0e0175376", GitTreeState:"clean", BuildDate:"2018-05-31T18:32:23Z", GoVersion:"go1.9.3b4", Compiler:"gc", Platform:"linux/amd64"}
  • Cloud provider or hardware configuration**: GKE
  • Nginx Ingress Controller: version 0.17.1 (Nginx version: 0.13.12), deployed with the Helm chart version 0.23.0 from the stable repository.
@jetstack-bot jetstack-bot added the kind/bug Categorizes issue or PR as related to a bug. label Jul 29, 2018
@superawesome
Copy link

Same here. I'm actually using the nghttpx Ingress controller (here: https://github.com/zlabjp/nghttpx-ingress-lb), but it behaves exactly the same way. Removing the empty begin/end blocks from the secret is sufficient for it to work.

@aelbarkani
Copy link
Author

The issue can probably be fixed by modifying:
https://github.com/jetstack/cert-manager/blob/master/pkg/issuer/selfsigned/issue.go#L80
https://github.com/jetstack/cert-manager/blob/master/pkg/util/pki/csr.go#L134

I don't have the time right now to do it, so if someone can do it ti would be great. Otherwise I'll create a PR in a few days.

@munnerz munnerz mentioned this issue Aug 9, 2018
Merged
@munnerz
Copy link
Member

munnerz commented Aug 9, 2018

Opened #811

@munnerz munnerz added this to the v0.4 milestone Aug 9, 2018
@munnerz munnerz self-assigned this Aug 9, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@munnerz munnerz

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
v0.4
Development

Successfully merging a pull request may close this issue.

Don't bundle the CA certificate when selfsigned cert-manager/cert-manager
4 participants
@munnerz @superawesome @aelbarkani @jetstack-bot