Let's Encrypt with HApRoxy on GKE

11/27/2019

I am following some articles to implement SSL on my application. But not able to understand how to generate the certificate or do I need to generate the certificate or not?

The main thing is, in concept, I am not able to put the things together.

Let me explain the situation.

I am running an application "User Registration" (REST API Based) in GKE cluster with HAProcxy Ingress Controller and HTTP(S) L7 loadbalancer. I have an existing domain (e.g. mydomain.com) where I am hosting my website. The hosting platform has provided a SSL certificate which is securing wild card domain (*.mydomain.com) and my website opens with http(colon)(slash slash) mydomain.com. I have created a subdomain apps.mydomain.com and pointed "A" record to the GCP HTTP(S) loadbalancer IP, so that I can access the application over the internet. I can access my application over the internet on port 80. But it does not work on Post 443 (with https).

In the articles, I need to generate a certificate and key using ACME and the same need to be used in Cluster Issuer and Ingress.

Ref# digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes

Do I need to ask my domain/hosting provider for the Certificate and Key? Or I can use ACME to generate another certificate with hostname: apps.mydomain.com?

Even I downloaded the certificate and key from my hosting provided website (there was an option - user you own server) and used the same in the Ingress only (used the certificate and ley as a secret). But my website turned into an insecure mode and when curl the API https://apps.mydomain.com/CreteUser there was an error:

TCP_NODELAY set

  • schannel: failed to receive handshake, need more data
  • schannel: SSL/TLS connection with apps.mydomain.com port 443 (step 2/3)
  • schannel: encrypted data got 1845
  • schannel: encrypted data buffer: offset 1845 length 4096
  • schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
  • Closing connection 0
  • schannel: shutting down SSL/TLS connection with demo.apps.product.barnsleypujo.co.uk port 443
  • schannel: clear security context handle curl: (35) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.

Could you please help me out?

Thanks, Suvendu

-- Suvendu Mandal
haproxy
kubernetes
lets-encrypt
ssl

1 Answer

11/27/2019

The star in the certificate subject (*.example.com) means you can replace the first domain name component of the name with anything you want, e.g. apps.example.com, mail.example.com, etc.

RFC2818 states:

If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com.

In your error message you have the name demo.apps.product.example.com what does not match the wildcard certificate and therefore gives the error SEC_E_WRONG_PRINCIPAL.

To workaround this problem replace the dots e.g. demo-apps-product.example.com or something completely different without the dots.

-- BiNZGi
Source: StackOverflow