AWS ALB Ingress Controller doesn't resolve over TLS


I've installed and configured AWS ALB Ingress Controller( and it's working properly over HTTP. However, it doesn't resolve over HTTPS.

The Ingress resource is the following:

$ kubectl describe ingress api-gateway-ingress
Name:             api-gateway-ingress
Namespace:        orbix-mvp
Default backend:  default-http-backend:80 (<none>)
TLS: terminates,
  Host  Path  Backends
  ----  ----  --------
        /*   api-gateway:3000 (<none>)
Annotations:                       alb                  internet-facing              ELBSecurityPolicy-2016-08                 subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9           302  {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"":"internet-facing","":"ELBSecurityPolicy-2016-08","":"subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9","":"302","":"alb"},"labels":{"app":"api-gateway"},"name":"api-gateway-ingress","namespace":"orbix-mvp"},"spec":{"rules":[{"host":"","http":{"paths":[{"backend":{"serviceName":"api-gateway","servicePort":3000},"path":"/*"}]}}]}}

Events:  <none>

I've also added a self-signed SSL certificate as per the instructions over here:

On edit the Ingress looks like the following:

apiVersion: extensions/v1beta1
kind: Ingress
  annotations: internet-facing ELBSecurityPolicy-2016-08 subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9 "302" |
      {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"":"internet-facing","":"ELBSecurityPolicy-2016-08","":"subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9","":"302","":"alb"},"labels":{"app":"api-gateway"},"name":"api-gateway-ingress","namespace":"orbix-mvp"},"spec":{"rules":[{"host":"","http":{"paths":[{"backend":{"serviceName":"api-gateway","servicePort":3000},"path":"/*"}]}}]}} alb
  creationTimestamp: "2019-03-07T14:57:22Z"
  generation: 8
    app: api-gateway
  name: api-gateway-ingress
  namespace: orbix-mvp
  resourceVersion: "2230952"
  selfLink: /apis/extensions/v1beta1/namespaces/orbix-mvp/ingresses/api-gateway-ingress
  uid: 4fd70b63-40e9-11e9-bfe7-024a064218ac
  - http:
      - backend:
          serviceName: api-gateway
          servicePort: 3000
        path: /*
  - hosts:
    - hostname:

Thing is, the Ingress doesn't resolve over TLS - it just times out. As far as I'm aware this is the correct way to set it up, so I'm rather clueless as to why it's not working. Any help is appreciated.

-- Neekoy

1 Answer


I think you are mixing up 2 different things here: You want to use ALB Ingress Controller, but you're showing that you're using the configuration for the Nginx Controller. Those are actually 2 pretty different projects. They serve a common purpose but are actually completely different ways to solve it. Nginx is running on your cluster, while ALB Ingress Controller is actually just configuring an ALB which runs on it's own machine(s).

The catch is, that ALB cannot use custom certificates. At least not directly from Kubernetes. They need to be put in ACM first.

If you have a certificate in ACM already, ALB Ingress Controller should match it, according to the documentation.

You can also specify which certificate to use for your load balancer like this arn:aws:acm:eu-central-1:1231234564:certificate/4564abc12-d3c2-4455-8c39-45354cddaf03

(replace with the ARN you get from ACM)

Some more general tips for debugging this:

  1. Search for the load balancer in the AWS Management Console and check if your listeners have been applied as you expect it. If it looks like you would have configured it, something must be wrong with the logic here already.
  2. If they are not applied, probably ALB Ingress Controller got a problem parsing your ingress. Check the logs of the alb-ingress-controller pod in the kube-system namespace to get more details about that.
-- Pampy
Source: StackOverflow