SSL Cert Not Trusted By All Browsers

7/10/2019

We have a wildcard certificate from DigiCert that is installed on our aks instance, and it works fine for IE and Chrome, but firefox has huge issues with it, not trusting the site. When I run the site through an SSL Checker, it indicates that

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate.

These are the instructions followed to install the certs originally:

Install the SSL Certificate into Each Namespace Export the certificate from the pfx file You will need openssl for this. This is the best resource I could find for installing and using it in Windows 10.

openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.txt

Open .txt file and remove the header (i.e. keep from -----BEGIN CERTIFICATE----- through to the bottom)

Export the private key from the pfx file

openssl pkcs12 -in filename.pfx -nocerts -out key.txt

Open .txt file and remove the header (i.e. keep from -----BEGIN ENCRYPTED PRIVATE KEY----- through to the bottom)

Remove the passphrase from the private key

openssl rsa -in key.txt -out server.txt

Create the secrets Connect to the kube through azure's cli, then run the command:

az aks get-credentials -g aks-rg -n clustername

to merge the kube to your kubectl cli.

If you need to remove previously installed certs, you should run the following commands:

kubectl delete secret clustername-tls --namespace dev
kubectl delete secret clustername-tls --namespace test
kubectl delete secret clustername-tls --namespace uat
kubectl delete secret clustername-tls --namespace prod

To create the new certs:

kubectl create secret tls clustername-tls --key server.txt --cert cert.txt --namespace dev
kubectl create secret tls clustername-tls --key server.txt --cert cert.txt --namespace test
kubectl create secret tls clustername-tls --key server.txt --cert cert.txt --namespace uat
kubectl create secret tls clustername-tls --key server.txt --cert cert.txt --namespace prod

What was missed to correctly install the intermediate cert?

-- Marshall Tigerus
azure
azure-kubernetes
kubernetes

1 Answer

7/10/2019

are you using this secret as tls-secret in ingress.

you have to implement ingress with ingress controller and you have to use your secret there inside the path.

you can follow this guide to set up the ingress-nginx controller with cert-manager.

ingress nginx will work as the load balancer and expose the application to internet. certmanager will work as managing the ssl and tls certificate.

cert-manager automatically generate the ssl certifiacate and manage it.

please follow this : https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes

-- Harsh Manvar
Source: StackOverflow