How to correctly configure the Kubernetes Dashboard via Ingress-Nginx on GKE

10/17/2019

I'm getting the error:

[lua] certificate.lua:89: call(): failed to set DER cert: SSL_add0_chain_cert() failed, context: ssl_certificate_by_lua*, 

when configure ingress to serve kubernetes dashboard on GKE. This trouble realated only to Dashboard. In other namespaces simular configuration work fine. I mean with the same SSL certificate.

Kubernetes version: v1.14.7-gke.10

Ingress-controller version: 0.26.1

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/force-ssl-redirect: "true"
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/secure-backends: "true"
  name: kubernetes-dashboard
spec:
  rules:
  - host: gke-dashboard.example.com
    http:
      paths:
      - backend:
          serviceName: kubernetes-dashboard
          servicePort: 443
        path: /
  tls:
  - hosts:
    - gke-dashboard.example.com
    secretName: example-ssl
-- Roman
google-kubernetes-engine
kubernetes
kubernetes-ingress

1 Answer

11/29/2019

The configuration of Ingress is correct. The key was in the SSL certificate bundle file. I use a chain of certificates in one crt file that contains 5 certificates.

Example snippet is:

-----BEGIN CERTIFICATE-----
MIIF4zCCBMugAwIBAhIMUCJSvK6eipIjbvq7MA0GCSqGSIb3DQEBCwUAMEwxGzAJ
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIETTCCAzWgAwIBAgILBAABBAAABRE9wNjEwDQYJKoZIhvcNAQELBQAwVzELMAkG
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEMTCCAxmgAwIBAgILBAAAAhhBMYnGOdwwDQYJKoZIhvcNAQELBQAwTDEgMB4G
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIELzCCAxegAwIBUGILBAASOMEBL07hNwIwDQYJKoZIhvcNAQEFBQAwVzELMAkG
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEDjCCAvagAwIBAgILBAATEXTBHkSl82UwDQYJKoZIhvcNAQEFBQAwVzELMAkG
...
-----END CERTIFICATE-----

In my bundle, I have a couple of unnecessary overlapping certificates. This why I had an error in the procedure of converting to DER format.

After removing unnecessary certificates the trouble was resolved.

By the way, such a bundle worked fine in Ingress-controller version 0.20.0. This why in my troubleshooting I have thought that there no errors in my certificates.

Maybe this information will be helpful for someone.

-- Roman
Source: StackOverflow