NGINX ingress controller doesn't use TLS certificate on www subdomain
up vote
0
down vote
favorite
I assume I am using a very common ingress definition. I've got a domain and I'd like to serve a SPA on https://example.com and a redirect to the non-www version on https://wwww.example.com. To achieve this my first step was to make the website available on both URLs, but I already failed here.
The problem:
NGINX returns the kubernetes fake certificate on the www. version of my domain, but it properly uses my LetsEncrypt certificate which is stored as secret in the right namespace for the non www.version. Accordingly the non-www version works perfectly fine, but I get an NET::ERR_CERT_AUTHORITY_INVALID (because it's using the kubernetes fake certificate) on the www version.
My ingress resource:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
creationTimestamp: 2018-10-27T11:49:18Z
generation: 2
labels:
app: nodejs
chart: nodejs-1.1.6
heritage: Tiller
release: game-frontend
name: game-frontend
namespace: microservices
resourceVersion: "2669700"
selfLink: /apis/extensions/v1beta1/namespaces/microservices/ingresses/game-frontend
uid: 563e8559-d9de-11e8-a079-42010a84024d
spec:
rules:
- host: example.io
http:
paths:
- backend:
serviceName: game-frontend
servicePort: http
path: /
- host: wwww.example.io
http:
paths:
- backend:
serviceName: game-frontend
servicePort: http
path: /
tls:
- hosts:
- example.io
- wwww.example.io
secretName: game-frontend-tls
status:
loadBalancer:
ingress:
- ip: redacted
The question:
Why does it not use the provided letsencrypt certificate for the www version as well?
nginx
kubernetes nginx-ingress edited 2 days ago
Patrick W
7371110
asked Nov 10 at 20:50
kentor
1,91632456
add a comment |
up vote
0
down vote
favorite
I assume I am using a very common ingress definition. I've got a domain and I'd like to serve a SPA on https://example.com and a redirect to the non-www version on https://wwww.example.com. To achieve this my first step was to make the website available on both URLs, but I already failed here.
The problem:
NGINX returns the kubernetes fake certificate on the www. version of my domain, but it properly uses my LetsEncrypt certificate which is stored as secret in the right namespace for the non www.version. Accordingly the non-www version works perfectly fine, but I get an NET::ERR_CERT_AUTHORITY_INVALID (because it's using the kubernetes fake certificate) on the www version.
My ingress resource:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
creationTimestamp: 2018-10-27T11:49:18Z
generation: 2
labels:
app: nodejs
chart: nodejs-1.1.6
heritage: Tiller
release: game-frontend
name: game-frontend
namespace: microservices
resourceVersion: "2669700"
selfLink: /apis/extensions/v1beta1/namespaces/microservices/ingresses/game-frontend
uid: 563e8559-d9de-11e8-a079-42010a84024d
spec:
rules:
- host: example.io
http:
paths:
- backend:
serviceName: game-frontend
servicePort: http
path: /
- host: wwww.example.io
http:
paths:
- backend:
serviceName: game-frontend
servicePort: http
path: /
tls:
- hosts:
- example.io
- wwww.example.io
secretName: game-frontend-tls
status:
loadBalancer:
ingress:
- ip: redacted
The question:
Why does it not use the provided letsencrypt certificate for the www version as well?
nginx
kubernetes nginx-ingress edited 2 days ago
Patrick W
7371110
asked Nov 10 at 20:50
kentor
1,91632456
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I assume I am using a very common ingress definition. I've got a domain and I'd like to serve a SPA on https://example.com and a redirect to the non-www version on https://wwww.example.com. To achieve this my first step was to make the website available on both URLs, but I already failed here.
The problem:
NGINX returns the kubernetes fake certificate on the www. version of my domain, but it properly uses my LetsEncrypt certificate which is stored as secret in the right namespace for the non www.version. Accordingly the non-www version works perfectly fine, but I get an NET::ERR_CERT_AUTHORITY_INVALID (because it's using the kubernetes fake certificate) on the www version.
My ingress resource:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
creationTimestamp: 2018-10-27T11:49:18Z
generation: 2
labels:
app: nodejs
chart: nodejs-1.1.6
heritage: Tiller
release: game-frontend
name: game-frontend
namespace: microservices
resourceVersion: "2669700"
selfLink: /apis/extensions/v1beta1/namespaces/microservices/ingresses/game-frontend
uid: 563e8559-d9de-11e8-a079-42010a84024d
spec:
rules:
- host: example.io
http:
paths:
- backend:
serviceName: game-frontend
servicePort: http
path: /
- host: wwww.example.io
http:
paths:
- backend:
serviceName: game-frontend
servicePort: http
path: /
tls:
- hosts:
- example.io
- wwww.example.io
secretName: game-frontend-tls
status:
loadBalancer:
ingress:
- ip: redacted
The question:
Why does it not use the provided letsencrypt certificate for the www version as well?
nginx
kubernetes nginx-ingress edited 2 days ago
Patrick W
7371110
asked Nov 10 at 20:50
kentor
1,91632456
I assume I am using a very common ingress definition. I've got a domain and I'd like to serve a SPA on https://example.com and a redirect to the non-www version on https://wwww.example.com. To achieve this my first step was to make the website available on both URLs, but I already failed here.
The problem:
NGINX returns the kubernetes fake certificate on the www. version of my domain, but it properly uses my LetsEncrypt certificate which is stored as secret in the right namespace for the non www.version. Accordingly the non-www version works perfectly fine, but I get an NET::ERR_CERT_AUTHORITY_INVALID (because it's using the kubernetes fake certificate) on the www version.
My ingress resource:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
creationTimestamp: 2018-10-27T11:49:18Z
generation: 2
labels:
app: nodejs
chart: nodejs-1.1.6
heritage: Tiller
release: game-frontend
name: game-frontend
namespace: microservices
resourceVersion: "2669700"
selfLink: /apis/extensions/v1beta1/namespaces/microservices/ingresses/game-frontend
uid: 563e8559-d9de-11e8-a079-42010a84024d
spec:
rules:
- host: example.io
http:
paths:
- backend:
serviceName: game-frontend
servicePort: http
path: /
- host: wwww.example.io
http:
paths:
- backend:
serviceName: game-frontend
servicePort: http
path: /
tls:
- hosts:
- example.io
- wwww.example.io
secretName: game-frontend-tls
status:
loadBalancer:
ingress:
- ip: redacted
The question:
Why does it not use the provided letsencrypt certificate for the www version as well?
nginx
kubernetes nginx-ingress nginx
kubernetes nginx-ingress edited 2 days ago
Patrick W
7371110
asked Nov 10 at 20:50
kentor
1,91632456
edited 2 days ago
Patrick W
7371110
asked Nov 10 at 20:50
kentor
1,91632456
edited 2 days ago
Patrick W
7371110
edited 2 days ago
Patrick W
7371110
edited 2 days ago
Patrick W
7371110
7371110
asked Nov 10 at 20:50
kentor
1,91632456
asked Nov 10 at 20:50
kentor
1,91632456
asked Nov 10 at 20:50
kentor
1,91632456
1,91632456
add a comment |
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53243281%2fnginx-ingress-controller-doesnt-use-tls-certificate-on-www-subdomain%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
