AIOPs - Some client connections fail at TLS Hello: nginx-ingress-controller pods exhibit Acme Kubernetes Ingress Controller Fake Certificate
search cancel

AIOPs - Some client connections fail at TLS Hello: nginx-ingress-controller pods exhibit Acme Kubernetes Ingress Controller Fake Certificate

book

Article ID: 277264

calendar_today

Updated On:

Products

DX Operational Intelligence DX Application Performance Management CA App Experience Analytics

Issue/Introduction

Trying to troubleshoot lack of HTTPS connectivity for some of our systems that should connect HTTPS to AIOPS.

Detailed analysis shows that the nginx-ingress-controller pods are using a fake certificate which may be part of the issue, defined in the deployment.

      openssl s_client -connect apmservices-gateway.<wildcardDNS>:443/dxiportal/#/dxiportal/login 

      CONNECTED

      CN = Kubernetes Ingress Controller Fake Certificate

Is there a way to make the nginx-ingress-controller pods use our valid X.509 certs? 

Environment

  • DX Platform 2x
  • DX AIOps 2x (APM, OI, AXA)

 

Resolution

The openssl s_client does not send name of server in SNI by default (like browsers do), you have to specify -servername host to have it send that "-servername apmesrvices-gateway.<wildcardDNS>"). 
 
And nginx in k8s requires SNI to route request properly. 
 

 

Additional Information