apisix-ingress-controller icon indicating copy to clipboard operation
apisix-ingress-controller copied to clipboard
verified publisher icon apache

request help: When i create a Ingress, Why is an empty certificate generated?

Open jelly320 opened this issue 2 years ago • 6 comments

Issue description

In our business scenario, we have our own server certificate request。

I create a secret,

kubectl create secret tls 996a-tls   --cert=996a.com.crt  --key=996a.com.key

and then I create an ingress, use this secret,

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: testservice-ingress
spec:
  # apisix-ingress-controller is only interested in Ingress
  # resources with the matched ingressClass name, in our case,
  # it's apisix.
  ingressClassName: apisix
  rules:
  - host: test-serivce-ingress.996a.com
    http:
      paths:
      - backend:
          service:
            name: test-svc
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - test-serivce-ingress.996a.com
    secretName: 996a-tls

Everything is ok: image

but why is an empty certificate generated? image

This caused my https request to not respond properly:

# curl https://test-serivce-ingress.996a.com:9443
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

# curl http://test-serivce-ingress.996a.com:80
test-clusterip-deploy-dfdbbddfd-h9m2f

Environment

  • your apisix-ingress-controller version (output of apisix-ingress-controller version --long):
  • your Kubernetes cluster version (output of kubectl version):
  • if you run apisix-ingress-controller in Bare-metal environment, also show your OS version (uname -a):

apisix verson: apache/apisix:3.5.0-debian

apisix-ingress-controller version: apache/apisix-ingress-controller:1.6.0

kubenetes version: v1.24.6

jelly320 avatar Oct 09 '23 09:10 jelly320

APISIX Ingress controller will synchronize SSL resources for APISIX according to your configuration.

Please directly query the specific information of SSL resources through Admin API. The apisix-dashboard project may have bugs and cannot be used as a reference.

tao12345666333 avatar Oct 10 '23 07:10 tao12345666333

APISIX Ingress controller will synchronize SSL resources for APISIX according to your configuration.

Please directly query the specific information of SSL resources through Admin API. The apisix-dashboard project may have bugs and cannot be used as a reference.

ok , I used the admin API request to get the information of the ssl and its result is as follows:

curl http://apisix-admin.apisix.svc.cluster.local:9180/apisix/admin/ssls -H 'X-API-KEY: ******'

{"total":2,"list":[{"key":"/apisix/ssls/482019372689261535","value":{"id":"482019372689261535","cert":"xxx","validity_start":1674950400,"status":1,"update_time":1696835534,"snis":["*.996a.com","996a.com"],"key":"xxx","create_time":1696835534,"validity_end":1709164799},"createdIndex":52,"modifiedIndex":52},{"key":"/apisix/ssls/dd58f31b","value":{"id":"dd58f31b","cert":"xxx","update_time":1697096192,"status":1,"labels":{"meta_secret_name":"996a-tls","meta_secret_namespace":"default","managed-by":"apisix-ingress-controller"},"key":"xxx","create_time":1696841539,"snis":["test-serivce-ingress.996a.com"],"type":"server"},"createdIndex":89,"modifiedIndex":302}]}

Importantly, the generation of this SSL certificate does make HTTPS requests impossible (the result is as above). When I delete this certificate in dashbord, https requests are normal. Of course, this doesn't make sense, because the certificate can't be deleted, presumably the controller will sync

jelly320 avatar Oct 12 '23 08:10 jelly320

@tao12345666333

jelly320 avatar Oct 12 '23 08:10 jelly320

This issue has been marked as stale due to 90 days of inactivity. It will be closed in 30 days if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the [email protected] list. Thank you for your contributions.

github-actions[bot] avatar Jan 11 '24 01:01 github-actions[bot]

so, have you solved the problem? it seems that ssl key with /apisix/ssls/482019372689261535 doesn't have labels like

      "labels": {
          "meta_secret_name": "996a-tls",
          "meta_secret_namespace": "default",
          "managed-by": "apisix-ingress-controller"
        },

Did you create it manually?

ronething avatar Feb 04 '24 07:02 ronething

This issue has been marked as stale due to 90 days of inactivity. It will be closed in 30 days if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the [email protected] list. Thank you for your contributions.

github-actions[bot] avatar May 05 '24 01:05 github-actions[bot]

This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.

github-actions[bot] avatar Jun 05 '24 01:06 github-actions[bot]