K
Q

Proxy nginx to ingress-nginx for migration purpose

8/4/2018

context

I'm migrating from traditional docker host to kubernetes cluster.

I want to have a continuity of service during that migration.

For that purpose, I proxy the local nginx to the remote ingress-nginx. Then, I update dns records. This is nice setup for 2 reasons:

  • the traffic continues to flow while the dns propagates
  • I can generate a let's encrypt cert in the ingress-nginx, so once the dns propagated, my clients are served with proper cert

In the mean time the cert is not generated, nginx will get served the default self-signed cert. I know it, so I want to verify against this, but I can't manage to do it.

minimum issue

Without discussing much about nginx configuration, we can reproduce the issue with curl only.

This is how I get the remote self-signed cert:

openssl s_client -showcerts -servername standard.ingress.indie.host -connect standard.ingress.indie.host:443 < /dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > server.pem

And I expect the following command to work:

curl --cacert ./server.pem https://standard.ingress.indie.host

But it doesn't.. I'm wondering what I'm doing wrong, if you could help, it would be awesome! Thanks!

PS: this is the real host, so you can test against, the issue is live.

-- Pierre Ozoux
curl
kubernetes
kubernetes-ingress
nginx

Similar Questions

how do i get the minikube nodes in a local cluster
Kubernetes Go API
How to copy file to container with kubernetes client-go?
Docker image push from Jenkins to Dockerhub and deployment to Kubernetes cluster
How to point to a service in a different ns than the ingress

1 Answer

8/5/2018

I think there are two things preventing that curl command from working, in this order:

  1. X509v3 Basic Constraints: critical CA:FALSE
  2. X509v3 Subject Alternative Name: DNS:ingress.local

The O=Acme Co, CN=Kubernetes Ingress Controller Fake Certificate certificate is not a CA, it's just self-signed. Therefore, (as I understand it) no value of --cacert would represent the "parent" in the X509 hierarchy and enable curl to trust the CA cert's child certificates.

However, even if there was a hypothetical issuing CA for that certificate, it is only issued for a SAN of ingress.local, which standard.ingress.indie.host definitely does not match.

I can't tell from your question whether curl --insecure is an option for you, or you are merely using curl to indicate the bad SSL outcome that is happening for the browsers (who don't easily have --insecure).

Having said that, I believe it would be possible to actually generate a fake CA, and then issue a certificate against it, install that in nginx and then feed the fake CA to curl --cafile (or, if required, install the CA into the trusted certificate store of the OS).

Please do follow up if there are more specifics you would find helpful.

-- mdaniel
Source: StackOverflow