Certificate Errors for requests sent with FQDN (broke on move from 0.23.0 to 0.24.0) #4243
Comments
|
@markfermor please use |
|
/reopen There's a confusion, the fix is not committed to master yet. I'll update this issue once it is. |
|
@ElvinEfendi: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Thanks for looking into and for the updates. Will await for further update |
Merged
|
Closing. Fixed in #4274 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):
What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.): trailing dot, fqdn, ssl certificates
Is this a BUG REPORT or FEATURE REQUEST? (choose one):
BUG REPORT
NGINX Ingress controller version: 0.24.1 and/or 0.24.0
Kubernetes version (use
kubectl version): v1.13.6-gke.13Environment: staging
uname -a):What happened: On moving from 0.23.0 ingress-nginx, we now see SSL errors going to the ingress-nginx pods if that request includes a trailing dot (example.com. instead of example.com). We are using the FQDN trailing dot practise in our environment a fair amount in order to force DNS lookups to ignore other search-domain lookups that might otherwise be on a host.
The error as thrown by nodeJS "unable to verify the first certificate"
Using chrome also throws certificate error for 0.24.0 but not 0.23.0 when including a trailing dot in the domain (https://example.com./status) using HTTP (http://example.com./status) does work as expected. So feels like a potential problem with comparing the SNI of the host against the certificates.
What you expected to happen: To load as normal
How to reproduce it (as minimally and precisely as possible): run up 0.24.x and send a request with an fqdn. Make sure the client program your using to test doesn't automatically strip the trailing dot - We're using nodeJS request module, but a curl for example would tend to strip the trailing dot as per curl/curl#3222 using Chrome's browser appeared to generate the erroring result, so this is probably suitable
Anything else we need to know: I note the Nginx version upgrade 1.15.9 to 1.15.10 that also occurred between those versions. I don't notice anything real obvious in their changeLogs to suggest a breaking change with FQDN http://nginx.org/en/CHANGES
The text was updated successfully, but these errors were encountered: