Kubernetes Helm Orangehrm HTTPS - Bad Request

6/10/2019

I'm kinda new to the kubernetes technology, sorry if I'm asking something really dumb. I've been trying to install orangehrm with helm, with no major problems actually and the http works fine but when I try to acces through the https url, it shows me the error of bad request.

It's been installed with a modify value.yaml for the db configuration and also for user and password to login. But the rest is just as the github repositoy is. Secret and login were set apart in my kubernetes configuration from this value.yaml file because the secret wasn't working.

image:
  registry: docker.io
  repository: bitnami/orangehrm
  tag: 4.3.1-0-debian-9-r8
  pullPolicy: IfNotPresent
orangehrmUsername: admin
orangehrmPassword: admin
externalDatabase:
  host: [REDACTED]
  user: [REDACTED]
  password: [REDACTED]
  database: [REDACTED]
mariadb:
  enabled: false
  replication:
    enabled: true
  db:
    name: orangehrm
    user: [REDACTED]
    password: [REDACTED]
  master:
    persistence:
      enabled: true
      accessMode: ReadWriteOnce
      size: 8Gi
service:
  type: NodePort
  port: 80
  httpsPort: 443
  nodePorts:
    http: ""
    https: ""
  externalTrafficPolicy: Cluster
persistence:
  enabled: true
  orangehrm:
    storageClass: slow
    accessMode: ReadWriteOnce
    size: 8Gi
    apache:
    storageClass: slow
    accesMod: ReadWriteOnce
    size: 16Gi
resources:
  requests:
    memory: 512Mi
    cpu: 300m
podAnnotations: {}
ingress:
  enabled: true
  certManager: false
  annotations:
    kubernetes.io/ingress.class: nginx
  hosts:
  - name: [REDACTED].com
    path: /
    tls: false
    tlsSecret: orangehrm-orangehrm
  secrets:
metrics:
  enabled: false
  image:
    registry: docker.io
    repository: lusotycoon/apache-exporter
    tag: v0.5.0
    pullPolicy: IfNotPresent

  podAnnotations:
    prometheus.io/scrape: "true"
    prometheus.io/port: "9117"

Bad Request

Your browser sent a request that this server could not understand. Reason: >You're speaking plain HTTP to an SSL-enabled server port.

curl -v output

* About to connect() to orangehrm.[REDACTED].com port 443 (#0)
*   Trying 192.168.20.250...
* Connected to orangehrm.[REDACTED].com ([REDACTED]) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=orangehrm.[REDACTED].com,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU
*       start date: Jun 07 13:01:54 2019 GMT
*       expire date: Jun 04 13:01:54 2029 GMT
*       common name: orangehrm.[REDACTED].com
*       issuer: O=[REDACTED],L=C.A.B.A.,ST=Buenos Aires,C=AR
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: orangehrm.[REDACTED].com
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Server: nginx/1.15.8
< Date: Wed, 12 Jun 2019 13:49:43 GMT
< Content-Type: text/html; charset=iso-8859-1
< Content-Length: 362
< Connection: keep-alive
< Strict-Transport-Security: max-age=15724800; includeSubDomains
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
 Instead use the HTTPS scheme to access this URL, please.<br />
</p>
</body></html>
* Connection #0 to host orangehrm.[REDACTED].com left intact

kubectl get -o yaml pods -l chart output:

apiVersion: v1
items:
- apiVersion: v1
  kind: Pod
  metadata:
    creationTimestamp: "2019-06-12T13:41:42Z"
    generateName: orangehrm-orangehrm-76dfdf78f4-
    labels:
      app: orangehrm-orangehrm
      chart: orangehrm-4.1.0
      pod-template-hash: 76dfdf78f4
      release: orangehrm
    name: orangehrm-orangehrm-76dfdf78f4-hdnj9
    namespace: default
    ownerReferences:
    - apiVersion: apps/v1
      blockOwnerDeletion: true
      controller: true
      kind: ReplicaSet
      name: orangehrm-orangehrm-76dfdf78f4
      uid: d02765de-8d17-11e9-88b3-00155d00973f
    resourceVersion: "19055796"
    selfLink: /api/v1/namespaces/default/pods/orangehrm-orangehrm-76dfdf78f4-hdnj9
    uid: d04480cd-8d17-11e9-88b3-00155d00973f
  spec:
    containers:
    - env:
      - name: ALLOW_EMPTY_PASSWORD
        value: "yes"
      - name: MARIADB_HOST
        value: 192.168.0.132
      - name: MARIADB_PORT_NUMBER
        value: "3306"
      - name: ORANGEHRM_DATABASE_NAME
        value: orangehrm
      - name: ORANGEHRM_DATABASE_USER
        value: orangehrm_user
      - name: ORANGEHRM_DATABASE_PASSWORD
        valueFrom:
          secretKeyRef:
            key: db-password
            name: orangehrm-externaldb
      - name: ORANGEHRM_USERNAME
        value: admin
      - name: ORANGEHRM_PASSWORD
        valueFrom:
          secretKeyRef:
            key: orangehrm-password
            name: orangehrm-orangehrm
      - name: SMTP_HOST
      - name: SMTP_PORT
      - name: SMTP_USER
      - name: SMTP_PASSWORD
        valueFrom:
          secretKeyRef:
            key: smtp-password
            name: orangehrm-orangehrm
      - name: SMTP_PROTOCOL
        value: none
      image: docker.io/bitnami/orangehrm:4.3.0-0
      imagePullPolicy: IfNotPresent
      livenessProbe:
        failureThreshold: 3
        httpGet:
          path: /symfony/web/index.php
          port: http
          scheme: HTTP
        initialDelaySeconds: 120
        periodSeconds: 10
        successThreshold: 1
        timeoutSeconds: 1
      name: orangehrm-orangehrm
      ports:
      - containerPort: 80
        name: http
        protocol: TCP
      - containerPort: 443
        name: https
        protocol: TCP
      readinessProbe:
        failureThreshold: 3
        httpGet:
          path: /symfony/web/index.php
          port: http
          scheme: HTTP
        initialDelaySeconds: 30
        periodSeconds: 10
        successThreshold: 1
        timeoutSeconds: 1
      resources:
        requests:
          cpu: 300m
          memory: 512Mi
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      volumeMounts:
      - mountPath: /bitnami/orangehrm
        name: orangehrm-data
      - mountPath: /bitnami/apache
        name: apache-data
      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
        name: default-token-r2gbm
        readOnly: true
    dnsPolicy: ClusterFirst
    enableServiceLinks: true
    hostAliases:
    - hostnames:
      - status.localhost
      ip: 127.0.0.1
    nodeName: l004
    priority: 0
    restartPolicy: Always
    schedulerName: default-scheduler
    securityContext: {}
    serviceAccount: default
    serviceAccountName: default
    terminationGracePeriodSeconds: 30
    tolerations:
    - effect: NoExecute
      key: node.kubernetes.io/not-ready
      operator: Exists
      tolerationSeconds: 300
    - effect: NoExecute
      key: node.kubernetes.io/unreachable
      operator: Exists
      tolerationSeconds: 300
    volumes:
    - name: orangehrm-data
      persistentVolumeClaim:
        claimName: orangehrm-orangehrm-orangehrm
    - name: apache-data
      persistentVolumeClaim:
        claimName: orangehrm-orangehrm-apache
    - name: default-token-r2gbm
      secret:
        defaultMode: 420
        secretName: default-token-r2gbm
  status:
    conditions:
    - lastProbeTime: null
      lastTransitionTime: "2019-06-12T13:41:49Z"
      status: "True"
      type: Initialized
    - lastProbeTime: null
      lastTransitionTime: "2019-06-12T13:42:52Z"
      status: "True"
      type: Ready
    - lastProbeTime: null
      lastTransitionTime: "2019-06-12T13:42:52Z"
      status: "True"
      type: ContainersReady
    - lastProbeTime: null
      lastTransitionTime: "2019-06-12T13:41:42Z"
      status: "True"
      type: PodScheduled
    containerStatuses:
    - containerID: docker://725ddef8da29d353006996d95b248f4ee5cea0bed2542350fc7d63d4dfb0fecb
      image: bitnami/orangehrm:4.3.0-0
      imageID: docker-pullable://bitnami/orangehrm@sha256:2f0bd90d975a22c7a6237c6fd86c7939df856cf74edd8dcf839df440a5c62606
      lastState: {}
      name: orangehrm-orangehrm
      ready: true
      restartCount: 0
      state:
        running:
          startedAt: "2019-06-12T13:41:50Z"
    hostIP: 192.168.0.137
    phase: Running
    podIP: 10.40.0.65
    qosClass: Burstable
    startTime: "2019-06-12T13:41:49Z"
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

Pod startup log

Welcome to the Bitnami orangehrm container
Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-orangehrm
Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-orangehrm/issues

nami    INFO  Initializing apache
apache  INFO  ==> Patching httpoxy...
apache  INFO  ==> Configuring dummy certificates...
nami    INFO  apache successfully initialized
nami    INFO  Initializing php
nami    INFO  php successfully initialized
nami    INFO  Initializing mysql-client
nami    INFO  mysql-client successfully initialized
nami    INFO  Initializing libphp
nami    INFO  libphp successfully initialized
nami    INFO  Initializing orangehrm
orangeh INFO  Configuring permissions
orangeh INFO  Creating the database...
mysql-c INFO  Trying to connect to MySQL server
mysql-c INFO  Found MySQL server listening at 192.168.0.132:3306
mysql-c INFO  MySQL server listening and working at 192.168.0.132:3306
orangeh INFO  Preparing webserver environment...
orangeh INFO  Passing wizard, please be patient
orangeh INFO  Configuring SMTP...
orangeh INFO  Setting OrangeHRM version...
orangeh INFO
orangeh INFO  ########################################################################
orangeh INFO   Installation parameters for orangehrm:
orangeh INFO     Username: admin
orangeh INFO     Password: **********
orangeh INFO     Site URL: http://127.0.0.1/
orangeh INFO   (Passwords are not shown for security reasons)
orangeh INFO  ########################################################################
orangeh INFO
nami    INFO  orangehrm successfully initialized

I have a nginx loadbalancer which Ingress is this:

  apiVersion: extensions/v1beta1
  kind: Ingress
  metadata:
    annotations:
      kubernetes.io/ingress.class: nginx
      nginx.ingress.kubernetes.io/proxy-body-size: "0"
    name: https
  spec:
    rules:
      - host: orangehrm.[REDACTED].com
        http:
          paths:
            - backend:
                serviceName: orangehrm-orangehrm
                servicePort: 443
              path: /       
    # This section is only required if TLS is to be enabled for the Ingress
    tls:
        - hosts:
            - orangehrm.[REDACTED].com
          secretName: orangehrm-https
-- agustinlare
kubernetes
kubernetes-helm
orangehrm

1 Answer

6/14/2019

As best I can tell, you are terminating TLS at the Ingress controller, which is then proxying upstream as HTTP but on port 443; so you'll want to update your Ingress to say servicePort: 80 not :443

If you really want to connect TLS all the way through to the Pod, you'll need to either enable SSL passthrough or perhaps switch to use the HTTPS backend

-- mdaniel
Source: StackOverflow