NGINX ingress controller doesn't use TLS certificate on www subdomain









up vote
0
down vote

favorite












I assume I am using a very common ingress definition. I've got a domain and I'd like to serve a SPA on https://example.com and a redirect to the non-www version on https://wwww.example.com. To achieve this my first step was to make the website available on both URLs, but I already failed here.



The problem:



NGINX returns the kubernetes fake certificate on the www. version of my domain, but it properly uses my LetsEncrypt certificate which is stored as secret in the right namespace for the non www.version. Accordingly the non-www version works perfectly fine, but I get an NET::ERR_CERT_AUTHORITY_INVALID (because it's using the kubernetes fake certificate) on the www version.



My ingress resource:



apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
creationTimestamp: 2018-10-27T11:49:18Z
generation: 2
labels:
app: nodejs
chart: nodejs-1.1.6
heritage: Tiller
release: game-frontend
name: game-frontend
namespace: microservices
resourceVersion: "2669700"
selfLink: /apis/extensions/v1beta1/namespaces/microservices/ingresses/game-frontend
uid: 563e8559-d9de-11e8-a079-42010a84024d
spec:
rules:
- host: example.io
http:
paths:
- backend:
serviceName: game-frontend
servicePort: http
path: /
- host: wwww.example.io
http:
paths:
- backend:
serviceName: game-frontend
servicePort: http
path: /
tls:
- hosts:
- example.io
- wwww.example.io
secretName: game-frontend-tls
status:
loadBalancer:
ingress:
- ip: redacted


The question:



Why does it not use the provided letsencrypt certificate for the www version as well?










share|improve this question



























    up vote
    0
    down vote

    favorite












    I assume I am using a very common ingress definition. I've got a domain and I'd like to serve a SPA on https://example.com and a redirect to the non-www version on https://wwww.example.com. To achieve this my first step was to make the website available on both URLs, but I already failed here.



    The problem:



    NGINX returns the kubernetes fake certificate on the www. version of my domain, but it properly uses my LetsEncrypt certificate which is stored as secret in the right namespace for the non www.version. Accordingly the non-www version works perfectly fine, but I get an NET::ERR_CERT_AUTHORITY_INVALID (because it's using the kubernetes fake certificate) on the www version.



    My ingress resource:



    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
    annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    creationTimestamp: 2018-10-27T11:49:18Z
    generation: 2
    labels:
    app: nodejs
    chart: nodejs-1.1.6
    heritage: Tiller
    release: game-frontend
    name: game-frontend
    namespace: microservices
    resourceVersion: "2669700"
    selfLink: /apis/extensions/v1beta1/namespaces/microservices/ingresses/game-frontend
    uid: 563e8559-d9de-11e8-a079-42010a84024d
    spec:
    rules:
    - host: example.io
    http:
    paths:
    - backend:
    serviceName: game-frontend
    servicePort: http
    path: /
    - host: wwww.example.io
    http:
    paths:
    - backend:
    serviceName: game-frontend
    servicePort: http
    path: /
    tls:
    - hosts:
    - example.io
    - wwww.example.io
    secretName: game-frontend-tls
    status:
    loadBalancer:
    ingress:
    - ip: redacted


    The question:



    Why does it not use the provided letsencrypt certificate for the www version as well?










    share|improve this question

























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I assume I am using a very common ingress definition. I've got a domain and I'd like to serve a SPA on https://example.com and a redirect to the non-www version on https://wwww.example.com. To achieve this my first step was to make the website available on both URLs, but I already failed here.



      The problem:



      NGINX returns the kubernetes fake certificate on the www. version of my domain, but it properly uses my LetsEncrypt certificate which is stored as secret in the right namespace for the non www.version. Accordingly the non-www version works perfectly fine, but I get an NET::ERR_CERT_AUTHORITY_INVALID (because it's using the kubernetes fake certificate) on the www version.



      My ingress resource:



      apiVersion: extensions/v1beta1
      kind: Ingress
      metadata:
      annotations:
      kubernetes.io/ingress.class: nginx
      kubernetes.io/tls-acme: "true"
      creationTimestamp: 2018-10-27T11:49:18Z
      generation: 2
      labels:
      app: nodejs
      chart: nodejs-1.1.6
      heritage: Tiller
      release: game-frontend
      name: game-frontend
      namespace: microservices
      resourceVersion: "2669700"
      selfLink: /apis/extensions/v1beta1/namespaces/microservices/ingresses/game-frontend
      uid: 563e8559-d9de-11e8-a079-42010a84024d
      spec:
      rules:
      - host: example.io
      http:
      paths:
      - backend:
      serviceName: game-frontend
      servicePort: http
      path: /
      - host: wwww.example.io
      http:
      paths:
      - backend:
      serviceName: game-frontend
      servicePort: http
      path: /
      tls:
      - hosts:
      - example.io
      - wwww.example.io
      secretName: game-frontend-tls
      status:
      loadBalancer:
      ingress:
      - ip: redacted


      The question:



      Why does it not use the provided letsencrypt certificate for the www version as well?










      share|improve this question















      I assume I am using a very common ingress definition. I've got a domain and I'd like to serve a SPA on https://example.com and a redirect to the non-www version on https://wwww.example.com. To achieve this my first step was to make the website available on both URLs, but I already failed here.



      The problem:



      NGINX returns the kubernetes fake certificate on the www. version of my domain, but it properly uses my LetsEncrypt certificate which is stored as secret in the right namespace for the non www.version. Accordingly the non-www version works perfectly fine, but I get an NET::ERR_CERT_AUTHORITY_INVALID (because it's using the kubernetes fake certificate) on the www version.



      My ingress resource:



      apiVersion: extensions/v1beta1
      kind: Ingress
      metadata:
      annotations:
      kubernetes.io/ingress.class: nginx
      kubernetes.io/tls-acme: "true"
      creationTimestamp: 2018-10-27T11:49:18Z
      generation: 2
      labels:
      app: nodejs
      chart: nodejs-1.1.6
      heritage: Tiller
      release: game-frontend
      name: game-frontend
      namespace: microservices
      resourceVersion: "2669700"
      selfLink: /apis/extensions/v1beta1/namespaces/microservices/ingresses/game-frontend
      uid: 563e8559-d9de-11e8-a079-42010a84024d
      spec:
      rules:
      - host: example.io
      http:
      paths:
      - backend:
      serviceName: game-frontend
      servicePort: http
      path: /
      - host: wwww.example.io
      http:
      paths:
      - backend:
      serviceName: game-frontend
      servicePort: http
      path: /
      tls:
      - hosts:
      - example.io
      - wwww.example.io
      secretName: game-frontend-tls
      status:
      loadBalancer:
      ingress:
      - ip: redacted


      The question:



      Why does it not use the provided letsencrypt certificate for the www version as well?







      nginx kubernetes nginx-ingress






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 2 days ago









      Patrick W

      7371110




      7371110










      asked Nov 10 at 20:50









      kentor

      1,91632456




      1,91632456



























          active

          oldest

          votes











          Your Answer






          StackExchange.ifUsing("editor", function ()
          StackExchange.using("externalEditor", function ()
          StackExchange.using("snippets", function ()
          StackExchange.snippets.init();
          );
          );
          , "code-snippets");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "1"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53243281%2fnginx-ingress-controller-doesnt-use-tls-certificate-on-www-subdomain%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown






























          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53243281%2fnginx-ingress-controller-doesnt-use-tls-certificate-on-www-subdomain%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          這個網誌中的熱門文章

          How to read a connectionString WITH PROVIDER in .NET Core?

          Node.js Script on GitHub Pages or Amazon S3

          Museum of Modern and Contemporary Art of Trento and Rovereto