NGINX ingress controller doesn't use TLS certificate on www subdomain
I assume I am using a very common ingress definition. I've got a domain and I'd like to serve a SPA on https://example.com and a redirect to the non-www version on https://wwww.example.com. To achieve this my first step was to make the website available on both URLs, but I already failed here.
The problem:
NGINX returns the kubernetes fake certificate on the www. version of my domain, but it properly uses my LetsEncrypt certificate which is stored as secret in the right namespace for the non www.version. Accordingly the non-www version works perfectly fine, but I get an NET::ERR_CERT_AUTHORITY_INVALID (because it's using the kubernetes fake certificate) on the www version.
My ingress resource:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
creationTimestamp: 2018-10-27T11:49:18Z
generation: 2
labels:
app: nodejs
chart: nodejs-1.1.6
heritage: Tiller
release: game-frontend
name: game-frontend
namespace: microservices
resourceVersion: "2669700"
selfLink: /apis/extensions/v1beta1/namespaces/microservices/ingresses/game-frontend
uid: 563e8559-d9de-11e8-a079-42010a84024d
spec:
rules:
- host: example.io
http:
paths:
- backend:
serviceName: game-frontend
servicePort: http
path: /
- host: wwww.example.io
http:
paths:
- backend:
serviceName: game-frontend
servicePort: http
path: /
tls:
- hosts:
- example.io
- wwww.example.io
secretName: game-frontend-tls
status:
loadBalancer:
ingress:
- ip: redacted
The question:
Why does it not use the provided letsencrypt certificate for the www version as well?
nginx
kubernetes nginx-ingress edited Nov 20 at 7:17
Patrick W
8201110
asked Nov 10 at 20:50
kentor
2,07132456
add a comment |
I assume I am using a very common ingress definition. I've got a domain and I'd like to serve a SPA on https://example.com and a redirect to the non-www version on https://wwww.example.com. To achieve this my first step was to make the website available on both URLs, but I already failed here.
The problem:
NGINX returns the kubernetes fake certificate on the www. version of my domain, but it properly uses my LetsEncrypt certificate which is stored as secret in the right namespace for the non www.version. Accordingly the non-www version works perfectly fine, but I get an NET::ERR_CERT_AUTHORITY_INVALID (because it's using the kubernetes fake certificate) on the www version.
My ingress resource:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
creationTimestamp: 2018-10-27T11:49:18Z
generation: 2
labels:
app: nodejs
chart: nodejs-1.1.6
heritage: Tiller
release: game-frontend
name: game-frontend
namespace: microservices
resourceVersion: "2669700"
selfLink: /apis/extensions/v1beta1/namespaces/microservices/ingresses/game-frontend
uid: 563e8559-d9de-11e8-a079-42010a84024d
spec:
rules:
- host: example.io
http:
paths:
- backend:
serviceName: game-frontend
servicePort: http
path: /
- host: wwww.example.io
http:
paths:
- backend:
serviceName: game-frontend
servicePort: http
path: /
tls:
- hosts:
- example.io
- wwww.example.io
secretName: game-frontend-tls
status:
loadBalancer:
ingress:
- ip: redacted
The question:
Why does it not use the provided letsencrypt certificate for the www version as well?
nginx
kubernetes nginx-ingress edited Nov 20 at 7:17
Patrick W
8201110
asked Nov 10 at 20:50
kentor
2,07132456
add a comment |
I assume I am using a very common ingress definition. I've got a domain and I'd like to serve a SPA on https://example.com and a redirect to the non-www version on https://wwww.example.com. To achieve this my first step was to make the website available on both URLs, but I already failed here.
The problem:
NGINX returns the kubernetes fake certificate on the www. version of my domain, but it properly uses my LetsEncrypt certificate which is stored as secret in the right namespace for the non www.version. Accordingly the non-www version works perfectly fine, but I get an NET::ERR_CERT_AUTHORITY_INVALID (because it's using the kubernetes fake certificate) on the www version.
My ingress resource:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
creationTimestamp: 2018-10-27T11:49:18Z
generation: 2
labels:
app: nodejs
chart: nodejs-1.1.6
heritage: Tiller
release: game-frontend
name: game-frontend
namespace: microservices
resourceVersion: "2669700"
selfLink: /apis/extensions/v1beta1/namespaces/microservices/ingresses/game-frontend
uid: 563e8559-d9de-11e8-a079-42010a84024d
spec:
rules:
- host: example.io
http:
paths:
- backend:
serviceName: game-frontend
servicePort: http
path: /
- host: wwww.example.io
http:
paths:
- backend:
serviceName: game-frontend
servicePort: http
path: /
tls:
- hosts:
- example.io
- wwww.example.io
secretName: game-frontend-tls
status:
loadBalancer:
ingress:
- ip: redacted
The question:
Why does it not use the provided letsencrypt certificate for the www version as well?
nginx
kubernetes nginx-ingress edited Nov 20 at 7:17
Patrick W
8201110
asked Nov 10 at 20:50
kentor
2,07132456
I assume I am using a very common ingress definition. I've got a domain and I'd like to serve a SPA on https://example.com and a redirect to the non-www version on https://wwww.example.com. To achieve this my first step was to make the website available on both URLs, but I already failed here.
The problem:
NGINX returns the kubernetes fake certificate on the www. version of my domain, but it properly uses my LetsEncrypt certificate which is stored as secret in the right namespace for the non www.version. Accordingly the non-www version works perfectly fine, but I get an NET::ERR_CERT_AUTHORITY_INVALID (because it's using the kubernetes fake certificate) on the www version.
My ingress resource:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
creationTimestamp: 2018-10-27T11:49:18Z
generation: 2
labels:
app: nodejs
chart: nodejs-1.1.6
heritage: Tiller
release: game-frontend
name: game-frontend
namespace: microservices
resourceVersion: "2669700"
selfLink: /apis/extensions/v1beta1/namespaces/microservices/ingresses/game-frontend
uid: 563e8559-d9de-11e8-a079-42010a84024d
spec:
rules:
- host: example.io
http:
paths:
- backend:
serviceName: game-frontend
servicePort: http
path: /
- host: wwww.example.io
http:
paths:
- backend:
serviceName: game-frontend
servicePort: http
path: /
tls:
- hosts:
- example.io
- wwww.example.io
secretName: game-frontend-tls
status:
loadBalancer:
ingress:
- ip: redacted
The question:
Why does it not use the provided letsencrypt certificate for the www version as well?
nginx
kubernetes nginx-ingress nginx
kubernetes nginx-ingress edited Nov 20 at 7:17
Patrick W
8201110
asked Nov 10 at 20:50
kentor
2,07132456
edited Nov 20 at 7:17
Patrick W
8201110
asked Nov 10 at 20:50
kentor
2,07132456
edited Nov 20 at 7:17
Patrick W
8201110
edited Nov 20 at 7:17
Patrick W
8201110
edited Nov 20 at 7:17
Patrick W
8201110
8201110
asked Nov 10 at 20:50
kentor
2,07132456
asked Nov 10 at 20:50
kentor
2,07132456
asked Nov 10 at 20:50
kentor
2,07132456
2,07132456
add a comment |
add a comment |
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53243281%2fnginx-ingress-controller-doesnt-use-tls-certificate-on-www-subdomain%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53243281%2fnginx-ingress-controller-doesnt-use-tls-certificate-on-www-subdomain%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
