Default certificate on Nginx-ingress

3
votes

I want to disable SNI on the nginx-ingress. If a call using openssl like below is used:

openssl s_client -showcerts -connect ***********.gr:443

Then I want nginx-ingress to use only the certificate that I have configured and not the fake-k8s-cert.

The certificate is working if a browse the web app but I need also to set the default certificate.

An example is below:

[root@production ~]# openssl s_client -showcerts -connect 3dsecureuat.torawallet.gr:443
CONNECTED(00000003)
depth=0 O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/O=Acme Co/CN=Kubernetes Ingress Controller Fake Certificate
   i:/O=Acme Co/CN=Kubernetes Ingress Controller Fake Certificate
-----BEGIN CERTIFICATE-----

---
Server certificate
subject=/O=Acme Co/CN=Kubernetes Ingress Controller Fake Certificate
issuer=/O=Acme Co/CN=Kubernetes Ingress Controller Fake Certificate
---
Acceptable client certificate CA names
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
...

I have also configured ingress to use the secret on all hostnames without specifying host: tls: - secretName: ******wte-ingress

3
kubernetesnginx-ingress
Are you aware of --default-ssl-certificate optionMatt
This worked perfectly. Thanksvasilis

3 Answers

4
votes

Default SSL Certificate flag solved the issue as OP mentioned.

In Nginx documentation you can read:

NXINX Ingress controller provides the flag --default-ssl-certificate. The secret referred to by this flag contains the default certificate to be used when accessing the catch-all server. If this flag is not provided NGINX will use a self-signed certificate.

For instance, if you have a TLS secret foo-tls in the default namespace, add --default-ssl-certificate=default/foo-tls in the nginx-controller deployment.

The default certificate will also be used for ingress tls: sections that do not have a secretName option.

1
votes

As mentioned here

When an ingress without a host is defined, the default server (_ in nginx) is used.

You need to provide -servername to your openssl command to check certificate for your domain, e.g.:

openssl s_client -showcerts -connect ***********.gr:443 -servername *********.gr
1
votes

The problem is that the client application says they do not support SNI and cannot send the servername in their request. So we need to provide the same certificate either with or without servername in the request