Kubernetes: TLS on an Ingress; hosts using wrong certificate

4/25/2018

I want to secure my K8s application with TLS. I've generated 2 SSL certificates with Let's Encrypt: one for kamerbaas.nl and one for gateway.kamerbaas.nl. I created two secrets from the files tls.crt and tls.key for each domain.

The YAML file of my Ingress is as follows:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: gateway-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  tls:
  - hosts:
    - gateway.kamerbaas.nl
    secretName: gateway.kamerbaas.nl
  - hosts:
    - kamerbaas.nl
    secretName: kamerbaas.nl
rules:
  - host: gateway.kamerbaas.nl
    http:
      paths:
      - path: /*
        backend:
          serviceName: kb-gateway
          servicePort: 80
  - host: kamerbaas.nl
    http:
      paths:
      - path: /*
        backend:
          serviceName: kb-frontend
          servicePort: 80

The catch: When I go to https://gateway.kamerbaas.nl, it works; it's showing a green lock. When I go to https://kamerbaas.nl however, it says it's not secure, since it's trying to use the certificate of gateway.kamerbaas.nl.

I've ruled out the possibility that it's a cache issue, and I've ensured that I didn't mix my certificate files up. I'm 100% sure the secrets are right.

Why is kamerbaas.nl trying to use the certificate of gateway.kamerbaas.nl?

Ps. gateway.kamerbaas.nl has a node-express server running with HTTPS. I've loaded my certificates there as well. kamerbaas.nl has a node server without https, could that be the problem? I'm guessing it doesn't matter, since my Ingress rules only points to port 80 of my services, which is the port for unsecured HTTP.

-- Jaap Weijland
google-kubernetes-engine
kubernetes
lets-encrypt
ssl

0 Answers