Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for SubjectAltName in SSL certificates #886

Merged
merged 1 commit into from
Jun 23, 2017

Conversation

aledbf
Copy link
Member

@aledbf aledbf commented Jun 20, 2017

Create a SSL certificate with subjectAltName

$ openssl req \
    -newkey rsa:2048 \
    -x509 \
    -nodes \
    -keyout server.key \
    -new \
    -out server.crt \
    -subj /CN=dev.mycompany.com \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /etc/ssl/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:dev.mycompany.com')) \
    -sha256 \
    -days 3650

Create a secret with the generated certificate

$ kubectl create secret tls mycompany --cert=server.cert --key=server.key

Create an ingress that reference the create SSL certificate

$ echo "
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: mycompany
  namespace: default
spec:
  tls:
    - secretName: mycompany
      hosts:
        - dev.mycompany.com
  rules:
  - host: dev.mycompany.com
    http:
      paths:
      - backend:
          serviceName: http-svc
          servicePort: 80
        path: /
" | kubectl create -f -

Test:

$ minikube ssh
$ curl https://localhost -v -H 'Host: dev.mycompany.com' -k
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
> GET / HTTP/1.1
> Host: dev.mycompany.com
> User-Agent: curl/7.50.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.13.1
< Date: Fri, 23 Jun 2017 00:47:53 GMT
< Content-Type: text/plain
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: route=4c076d0ba212d6bf28bbdac6368e32a1a2fd32a6; Path=/; HttpOnly
< Strict-Transport-Security: max-age=15724800; includeSubDomains;
< 


Hostname: http-svc-82h3l

Pod Information:
	node name:	 minikube
	pod name:	 http-svc-82h3l
	pod namespace:	 default
	pod IP:  	 172.17.0.2

Server values:
	server_version=nginx: 1.13.0 - lua: 10008

Request Information:
	client_address=172.17.0.8
	method=GET
	real path=/
	query=
	request_version=1.1
	request_uri=http://dev.mycompany.com:8080/

Request Headers:
	accept=*/*
	connection=close
	host=dev.mycompany.com
	user-agent=curl/7.50.1
	x-forwarded-for=172.17.0.1
	x-forwarded-host=dev.mycompany.com
	x-forwarded-port=443
	x-forwarded-proto=https
	x-original-uri=/
	x-real-ip=172.17.0.1
	x-scheme=https

Request Body:
	-no body in request-

fixes #548

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 20, 2017
@k8s-reviewable
Copy link

This change is Reviewable

@coveralls
Copy link

Coverage Status

Coverage decreased (-0.3%) to 44.253% when pulling 4ee2bdc on aledbf:tls-alt-names into 103d082 on kubernetes:master.

@aledbf aledbf merged commit 0153726 into kubernetes:master Jun 23, 2017
@aledbf aledbf deleted the tls-alt-names branch June 23, 2017 02:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

nginx: support multidomain certificates
4 participants