Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The certificate must have a fully-qualified domain name, a supported signature, and a supported key size. #3890

Open
uriworkaccount opened this issue Oct 15, 2024 · 5 comments
Open

The certificate must have a fully-qualified domain name, a supported signature, and a supported key size. #3890

uriworkaccount opened this issue Oct 15, 2024 · 5 comments

Comments

@uriworkaccount
Copy link

uriworkaccount commented Oct 15, 2024
edited
Loading

Describe the bug
I am trying to set up NLB with aws-load-balancer-controller in a private subnet.
I did so in my dev account, i tried to do the same in a prod account, but i received errors:
first of all, after tagging the relevant subnets as required (kubernetes.io/role/internal-elb=1, see picture) , it still didn't work, i got the error:
failed build model due to unable to resolve at least one subnet (0 match VPC and tags: [kubernetes.io/role/internal-elb])
so i had to manually register the subnets (see yaml), after which everything was ok.

after that, I tried to add a valid certificate, but i get the error:
The certificate must have a fully-qualified domain name, a supported signature, and a supported key size.

additionally, when recreating the resources, i had to manually delete some, as they weren't all deleted on helm uninstall.

please help.

Steps to reproduce

helm install, filled in the eks name.
this is the yaml for the nlb service:

apiVersion: v1
kind: Service
metadata:
  name: nlb-service
  namespace: ingress-controller
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: "external"
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "instance"  # or "ip" for IP mode
    service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
    service.beta.kubernetes.io/aws-load-balancer-subnets: xxx, xxx
    service.beta.kubernetes.io/aws-load-balancer-name: xxxx
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <arn>

spec:
  type: LoadBalancer
  ports:
    - port: 443
      targetPort: 80
      protocol: TCP
  selector:
    app.kubernetes.io/name: ingress-nginx
    #app.kubernetes.io/component: controller

this is the certificate:
image

this is the listener, due take note that i can't manually add a certificate or choose a security policy.

image

these are the tags for the subnets
image

screen pictures of errors:
image
image

Expected outcome
create nlb

Environment

  • AWS Load Balancer controller version - 1.8.1
  • Kubernetes version - 1.30
  • Using EKS (yes/no), if so version? yes, 1.30
    Additional Context:
@zac-nixon
Copy link
Contributor

zac-nixon commented Oct 17, 2024
edited
Loading

Hi. Thanks for reaching out.

1/ Subnets not being auto detected.

This is our guide for subnet autodiscovery. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/deploy/subnet_discovery/

It looks like you've not tagged the subnet with kubernetes.io/cluster/${cluster-name}. Please either add the tag (following the guide above) or disable the cluster name check by modifying the controller parameters.

2/ The certificate must have a fully-qualified domain name, a supported signature, and a supported key size.

This is a validation error coming from the ELB API. The generated certificate is not valid for ELB TLS. According to https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html, it is because you have generated a cert using RSA 4096. If you want to use this certificate type you need to use an ALB.

3/ Resources left behind on helm delete

What resources were left behind?

@uriworkaccount
Copy link
Author

thank you for your answer
I was wrong, my helm version is 2.8.1:
image

What could be the issue then?

@zac-nixon
Copy link
Contributor

Hi. I don't follow your response, sorry. These errors are misconfigurations as I listed above.

@UriZafrir
Copy link

Hi applogies for my late reply.
Regarding my response, ive tried to say that the helm version of aws-load-balancer-controller is 2.8.1, so as i understand i dont need to tag the subnets with the clustr name.
Regarding 2, As per contacting the aws support, i was made aware of what you wrote about the certificate.
Regarding 3., What i experience with uninstalling the helm chart is that the crds and the ingress are left behind. For uninstallation i need to remove the finalizers from the ingress and then they are deleted.
Thanks for the answer, i will check my configurations.

@zac-nixon
Copy link
Contributor

Hi, sorry for the late reply (heh)

For the subnet issue, https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/deploy/subnet_discovery/

I think you need to use the SubnetsClusterTagCheck=false feature flag in the controller.

For issue 3) I don't believe that is expected behavior that helm uninstall won't remove the CRD definitions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zac-nixon @UriZafrir @uriworkaccount