Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SubjectAltName with IP address doesn't work #4687

Closed
kprasad99 opened this issue Oct 17, 2019 · 2 comments
Closed

SubjectAltName with IP address doesn't work #4687

kprasad99 opened this issue Oct 17, 2019 · 2 comments

Comments

@kprasad99
Copy link

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.): No

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.): SSL, certificate, SubjectAltName

Is this a BUG REPORT or FEATURE REQUEST? (choose one):

NGINX Ingress controller version: 0.24.1

Kubernetes version (use kubectl version): v1.16.1

Environment:

  • Cloud provider or hardware configuration: On-Prem
  • OS (e.g. from /etc/os-release): CentOS 7
  • Kernel (e.g. uname -a): 3.10.0-957.21.3.el7.x86_64
  • Install tools:
  • Others:

What happened:

Generated a self-signed certificate with subAltNames with IP address as well, when I try to access with domain name was able to access the endpoint with self-signed certificate, however when I use IP Address endpoint is accessed with "Kubernetes Ingress Controller Fake Certificate"

What you expected to happen:
Since IP address is also configured in subAltNames self-sgined certificate should be used.

How to reproduce it (as minimally and precisely as possible):

  • Generate the certificate
openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes \
  -keyout tls.key -out tls.crt -extensions san -config \
  <(echo "[req]"; 
    echo distinguished_name=req; 
    echo "[san]"; 
    echo subjectAltName=DNS:*.local,DNS:kubernetes.default.svc.cluster.local,IP:192.168.56.112,IP:192.168.56.114
    ) \
  -subj /CN=*.local
  • Add certificate to k8s
kubectl create secret tls k-tls --cert tls.crt --key tls.key
  • Configure ingress with tls
spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: k-ui
          servicePort: http
        path: /
  tls:
  - secretName: k-tls

Anything else we need to know:
@kprasad99
Copy link
Author

similar to this issue #886

@aledbf
Copy link
Member

aledbf commented Dec 31, 2019

Closing. The only way to support this use case is to define k-tls as the default SSL certificate. The reason for this is related to the lack of context (host field) to match the certificate inside the secretName and because an ingress without a host field is mapped to the default NGINX server

@aledbf aledbf closed this as completed Dec 31, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aledbf @kprasad99