We have a wildcard certificate from DigiCert that is installed on our aks instance, and it works fine for IE and Chrome, but firefox has huge issues with it, not trusting the site. When I run the site through an SSL Checker, it indicates that
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate.
These are the instructions followed to install the certs originally:
Install the SSL Certificate into Each Namespace Export the certificate from the pfx file You will need openssl for this. This is the best resource I could find for installing and using it in Windows 10.
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.txt
Open .txt file and remove the header (i.e. keep from -----BEGIN CERTIFICATE----- through to the bottom)
Export the private key from the pfx file
openssl pkcs12 -in filename.pfx -nocerts -out key.txt
Open .txt file and remove the header (i.e. keep from -----BEGIN ENCRYPTED PRIVATE KEY----- through to the bottom)
Remove the passphrase from the private key
openssl rsa -in key.txt -out server.txt
Create the secrets Connect to the kube through azure's cli, then run the command:
az aks get-credentials -g aks-rg -n clustername
to merge the kube to your kubectl cli.
If you need to remove previously installed certs, you should run the following commands:
kubectl delete secret clustername-tls --namespace dev
kubectl delete secret clustername-tls --namespace test
kubectl delete secret clustername-tls --namespace uat
kubectl delete secret clustername-tls --namespace prod
To create the new certs:
kubectl create secret tls clustername-tls --key server.txt --cert cert.txt --namespace dev
kubectl create secret tls clustername-tls --key server.txt --cert cert.txt --namespace test
kubectl create secret tls clustername-tls --key server.txt --cert cert.txt --namespace uat
kubectl create secret tls clustername-tls --key server.txt --cert cert.txt --namespace prod
What was missed to correctly install the intermediate cert?
are you using this secret as tls-secret in ingress.
you have to implement ingress with ingress controller and you have to use your secret there inside the path.
you can follow this guide to set up the ingress-nginx controller with cert-manager.
ingress nginx will work as the load balancer and expose the application to internet. certmanager will work as managing the ssl and tls certificate.
cert-manager automatically generate the ssl certifiacate and manage it.
please follow this : https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes