I have an application deployment at foo.example.com
running on Kubernetes (GKE). The ingress definition looks like this:
spec:
tls:
- hosts:
- "foo.example.com"
secretName: foo-example-com
rules:
- host: "foo.example.com"
http:
paths:
- path: /*
backend:
serviceName: web
servicePort: 80
When I navigate to http://foo.example.com/
I get (correctly) redirected to https://foo.example.com/
with the proper certificate in place.
However, I have example.com
in my Search Domains. So a ping foo
correctly resolves to the Kubernetes ingress.
But when I go to https://foo/
in my browser, I get the following error message in Chrome:
Your connection is not private
Attackers might be trying to steal your information from foo (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID
Subject: Kubernetes Ingress Controller Fake Certificate
Issuer: Kubernetes Ingress Controller Fake Certificate
Expires on: Oct 1, 2019
Current date: Oct 9, 2018
How would you get this working?
Obviously, I can't get a certificate for foo
without some self-signing hackery, which I'd rather not attempt.
So the way I solved this was to add a redirect ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: redirect-ingress
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "false"
ingress.kubernetes.io/configuration-snippet: |
if ($host ~ ^foo$) {
return 301 https://foo.example.com$request_uri;
}
spec:
rules:
- host: "foo"
http:
paths:
- backend:
serviceName: web
servicePort: 80
I'm not sure if it's optimal, but it did work.
This will work the same even outside of the Kubernetes. First of all each web browser (including Chrome) has a list of Authorities out of the box:
and so on.
Your CA certs (in your Secret) are self-signed by your own Certificate Authority , which is not trusted for Chrome, that's why you see the error. You probably can import your CA to Chrome, and your Chrome instance will trust it, but... as you know TLS (SSL) certificate usually issued for a particular domain or a wildcard (CN), so foo
likely won't match the wildcard expression of your certificate and you will see another SSL error:NET::ERR_CERT_COMMON_NAME_INVALID
. So, you will have to use rewrite rule to make it work.