I am running a baremetal Kubernetes , with nginx ingress and metallb , and some hostnames mapped to the external ip provided by metallb.

I have created an nginx deployment , exposed it via service and created an ingress with the hostname. I have created with openssl a self-signed certificate :

openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout tls.key -out tls.crt -subj "/CN=fake.example.com" -days 365  

Then created a secret in the correct namespace:

kubectl -n demo create secret tls fake-self-secret --cert=tls.crt --key=tls.key

Then created the ingress :

apiVersion: v1
items:
- apiVersion: extensions/v1beta1
  kind: Ingress
  metadata:
    annotations:
      kubernetes.io/ingress.class: nginx
      nginx.ingress.kubernetes.io/ssl-redirect: "false"
    name: demo-ingress
    namespace: demo
  spec:
    rules:
    - host: fake.example.com
      http:
        paths:
        - backend:
            serviceName: nginx
            servicePort: 80
          path: /
    tls:
    - hosts:
      - fake.example.com
      secretName: fake-self-secret

Http works ( because of ssl-redirect false annotation) , https returns SSL_ERROR_RX_RECORD_TOO_LONG, on the nginx ingress controller log i see something like "\x16\x03\x01\x00\xA8\x01\x00\x00\xA4\x03\x03*\x22\xA8\x8F\x07q\xAD\x98\xC1!\

openssl s_client -connect fake.example.com:443 -servername fake.example.com -crlf
140027703674768:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:

Nginx ingress-controller version is 0.30, with the default configuration, ssl-protocols enabled in the configmap are : TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 Any help / new ideas are welcomed :)