1. 技术文章
  2. Kubernetes TLS secret certificate expiration

Kubernetes TLS secret certificate expiration

烈酒焚心 提交于 2020-01-04 06:33:20

问题


  1. I use openssl to create a wildcard self-signed certificate. I set certificate validity duration to to ten years (I double-checked the validity duration by inspecting the certificate with openssl)
  2. I create a Kubernetes secret with the private key and certificate prepared in step 1 with following kubectl command: kubectl create secret tls my-secret -n test --key server.key --cert server.crt
  3. We use nginx ingress controller version 0.25.1 running on AWS EKS
  4. I refer to this secret in the Kubernetes ingress of my service
  5. When connecting to my service via browser and inspecting the certificate, I notice it is issued by "Kubernetes ingress Controller Fake certificate" and expires in one year instead of ten years

This certificate is used for internal traffic only, we expect the validity duration to be ten years. Why is it changed to one year? What can be done to keep the validity duration in the original certificate?

kubectl get secret dpaas-secret -n dpaas-prod -o yaml:

apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2ekNDQXFlZ0F3SUJBZ0lRSE5tMUQwakYxSHBQYVk2cTlCR2hGekFOQmdrcWhraUc5dzBCQVFzRkFEQlEKTVJrd0Z3WURWUVFLRXhCaFkyMWxJRk5sYkdZZ1UybG5ibVZrTVJVd0V3WURWUVFMRXd4aFkyMWxJR1Y0WVcxdwpiR1V4SERBYUJnTlZCQU1URTJGamJXVWdVMlZzWmlCVGFXZHVaV1FnUTBFd0hoY05NVGt4TWpFMk1UUXhOak14CldoY05Namt4TWpFMk1ERXhOak14V2pCWk1Rc3dDUVlEVlFRR0V3SlZVekVaTUJjR0ExVUVDaE1RWVdOdFpTQlQKWld4bUlGTnBaMjVsWkRFUk1BOEdBMVVFQ3hNSVlXTnRaUzVqYjIweEhEQWFCZ05WQkFNTUV5b3VaSEJ6TG0xNQpZMjl0Y0dGdWVTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQzRjVmtaCndJY1cwS1VpTk5zQ096YjlleFREQU11SENwT3Jia2ExNmJHVHhMd2FmSmtybzF4TGVjYU8yM3p0SkpaRTZEZG8KZlB1UXAyWlpxVjJoL0VqL3ozSmZrSTRKTXdRQXQyTkd2azFwZk9YVlJNM1lUT1pWaFNxMU00Sm01ZC9BUHMvaApqZTdueUo4Y1J1aUpCMUh4SStRRFJpMllBK3Nzak12ZmdGOTUxdVBwYzR6Skppd0huK3JLR0ZUOFU3d2FueEdJCnRGRC9wQU1LaXRzUEFheW9aT2czazk4ZnloZS9ra1Z0TlNMTTdlWEZTODBwUEg2K3lEdGNlUEtMZ3N6Z3BqWFMKWGVsSGZLMHg1TXhneXIrS0dTUWFvU3Q0SVVkYWZHa05meVVYVURTMmtSRUdzVERVcC94R2NnQWo3UGhJeGdvZAovNWVqOXRUWURwNG0zWStQQWdNQkFBR2pnWXN3Z1lnd0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXCk1CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1COEdBMVVkSXdRWU1CYUEKRk5VOE90NXBtM0dqU3pPTitNSVJta3k3dVBVRU1DZ0dBMVVkRVFRaE1CK0NIU291WkhCekxuVnpMV1ZoYzNRdApNUzV0ZVdOdmJYQmhibmt1WTI5dE1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQlJITlN5MXZoWXRoeUpHRHpkCnpjSi9FR3QxbktXQkEzdFovRmtlRDhpelRiT282bmt0Sys5Rk52YmNxeGFQbzZSTWVtM2VBcEZCQkNFYnFrQncKNEZpRkMzODFRTDFuZy9JL3pGS2lmaVRlK0xwSCtkVVAxd1IzOUdOVm9mdWdNcjZHRmlNUk5BaWw4MVZWLzBEVworVWZ2dFg5ZCtLZU0wRFp4MGxqUkgvRGNubEVNN3Z3a3F5NXA2VklJNXN6Y1F4WTlGWTdZRkdMUms4SllHeXNrCjVGYW8vUFV1V1ZTaUMzRk45eWZ0Y3c1UGZ6MSt4em1PSmphS3FjQWkvcFNlSVZzZ0VTNTFZYm9JTUhLdDRxWGcKSlFqeU9renlKbFhpRzhBa2ZRMVJraS91cmlqZllqaWl6M04yUXBuK2laSFNhUmJ5OUhJcGtmOGVqc3VTb2wrcgpxZ3N4Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdUhGWkdjQ0hGdENsSWpUYkFqczIvWHNVd3dETGh3cVRxMjVHdGVteGs4UzhHbnlaCks2TmNTM25HanR0ODdTU1dST2czYUh6N2tLZG1XYWxkb2Z4SS84OXlYNUNPQ1RNRUFMZGpScjVOYVh6bDFVVE4KMkV6bVZZVXF0VE9DWnVYZndEN1A0WTN1NThpZkhFYm9pUWRSOFNQa0EwWXRtQVByTEl6TDM0QmZlZGJqNlhPTQp5U1lzQjUvcXloaFUvRk84R3A4UmlMUlEvNlFEQ29yYkR3R3NxR1RvTjVQZkg4b1h2NUpGYlRVaXpPM2x4VXZOCktUeCt2c2c3WEhqeWk0TE00S1kxMGwzcFIzeXRNZVRNWU1xL2loa2tHcUVyZUNGSFdueHBEWDhsRjFBMHRwRVIKQnJFdzFLZjhSbklBSSt6NFNNWUtIZitYby9iVTJBNmVKdDJQandJREFRQUJBb0lCQUJuWFY2SnlCUHMvVkVPTQpvRHFaelVTS1lBaEtMam5IVTVVcktDRUlrdWFmSTdPYVRXTjl5Y3FSVHk1b3RnSUxwRG9YUnR3TzFyZ1huQkZuCjEwU0Fza0dVOFBOT3IzZStmQXNWcG9VYzJIKzFEZ1pwVTJYQXNHeSs4WkxkbXFHTUIyTko2Wm95Wm94MjRVUDIKODFGdmd4MkQ1OGhGcHRHcml1RjlBSHRaNHdhUXhnNE9EckNnQUVmZU8rTlNsckEvZHB0bERFcDJYUHBVVGg5VQpKMGk2b3VGZjUwTllHZXptMTR5ZkpWMDhOdWJGYjNjWldNOUZYZXAvUDhnZTFXZXBRemJsZWtWcEQ0eGZQa1ZjCjNwam1GREszdUVuSC9qcmRKeDJUb0NjTkJqK21nemN6K1JNZUxTNVBQZ29sc0huSFVNdkg4eG51cis5MURlRXgKWVlSYUtRRUNnWUVBMkVjUjFHcTFmSC9WZEhNU3VHa2pRUXJBZ0QvbEpiL0NGUExZU2xJS0pHdmV5Vi9qbWtKNApRdUFiYWFZRDVOdmtxQ0dDd2N1YXZaU05YTnFkMGp5OHNBWmk0M0xOaCt0S1VyRDhOVlVYM2ZiR2wyQUx0MTFsCmVUM0ZRY1NVZmNreEZONW9jdEFrV3hLeG5hR2hpOHJlelpjVStRZkMxdDF5VTdsOXR0MUgrODhDZ1lFQTJsRjQKRDBnZHpKWHduQnBJM0FJSjNyMDlwalZpMXlScGgyUDRvK1U2a1cvTmE5NnRLcTg5VEg3c0ViQkpSWEVjUDdBawpSYnNHN1p4SStCQkF5cy9YdFhkOWowdXRBODc4c1hsbm5ZVTlUa21xQXRoYVBCaWh3K00wZE9LNnFhRFpueWZBCnE5Z2NoZ0ZvS3pGenBuMzVvVzllNStId2EyYWk2YW8yZnFHSFlFRUNnWUVBcVVaR3dEaWN2MHJXYUlSQVhMRjkKZEVUVUVnendickU5V0dRUndXbWdvbzBESEIyKzZGZXFCTDJlOXZ1SEJMTE9yb0U3OUM1RmVLZ3lWRUNQVWFOVQpFM21NSUhVVVJKTjE0bTYvbDRaNFhiUHVEMENQS3Y4Z2t0b3o3NXZLbFFESk40b3p1ZGtLKzNVUUswMzhRSXVTCkF0dURBTDZBVXVlVHVjL3VneGVDWmFVQ2dZQnFZUlE5YmdpSExmQ21QL0NNczdtWGZXTFM0R1NmTExEM05mRnIKKzBDRXFaUFJJaG9ER0l5bi81aU1MZmdtREMyVm93Q3BzYTU0alpUSXV6SzNJSHVkZ3ZIOXB3UlJQTVRJdmIyTgpkZVVmaHFsKzVXbGlxeVgzeTNnK0ZGU2NYekpyYVBWclJzenZSelE1Qjhtd3NPVzRrZ29PdDN0cytnQWNGOEtpCkJaZHZnUUtCZ1FDdTBSQmwrTkRIZ2RiZC9YUnN0ZmZWWUlDRnpPOFJoWUo0NGpZYWRVc3BtcW5BYUp3T3liL0EKek9FNC9RbE85MGx2WCtYbXFud3FKMzlDOVF0SDFCeTZGdVhhVCtGdVdxeWVlK3MyNEd1Rnp5b3pUVnBZNURROQpSUS9iL2NQbXZuMTZMMnlTaVY2d3N3Nk8xWGdtc2ZCZ0JHUjJsdU5PTjIwNGdnazRZWGgvZ3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
  creationTimestamp: "2019-12-16T14:31:59Z"
  name: dpaas-secret
  namespace: dpaas-prod
  resourceVersion: "134564"
  selfLink: /api/v1/namespaces/dpaas-prod/secrets/dpaas-secret
  uid: d1c692b6-2010-11ea-bce8-1247666f5179
type: kubernetes.io/tls

kubectl describe ingress ingress-test4 -n dpaas-prod:

Name:             ingress-test4
Namespace:        dpaas-prod
Address:          ad6c6ea681f5d11ea91440a6af5c8987-559e0a22f4b3e398.elb.us-east-1.amazonaws.com
Default backend:  default-http-backend:80 (<none>)
TLS:
  dpaas-secret terminates
Rules:
  Host                                                 Path  Backends
  ----                                                 ----  --------
  test4.dps.mycompany.com
                                                       /   cpe-test4:80 (10.0.13.222:8080,10.0.38.178:8080)
Annotations:
  nginx.ingress.kubernetes.io/force-ssl-redirect:  false
  nginx.ingress.kubernetes.io/server-alias:        test4.dps.us-east-1.mycompany.com
  nginx.ingress.kubernetes.io/ssl-redirect:        true
Events:                                            <none>

回答1:


In general, "Kubernetes ingress Controller Fake certificate" indicates problems on the certificates itself or in your setup. You can read more about it here, here, here and here.

None of these posts will tell you how to solve your problem as the reason may be very wide and depends on your certificate and how it was generated.

Here for example, it's reported that problem was not in the certificate itself but in his ingress:

I just realized that I was missing the host in the rule per se (not sure if this is required, but it fixed the issues and now the cert. being used is the one I'm providing and not the Fake Kubernetes one). Example of my ingress:

So, I as suggested in the comments, you reviewed the steps used to generate your certificate and discovered that adding the certificate common name to the list of SANs and regenerating the self-signed certificate fixed the problem.




回答2:


Thank you Watney, your remark that "Kubernetes ingress Controller Fake certificate¨ indicate problems on the certificates itself lead me to further investigation. I discovered that adding the certificate common name to the list of SANs and regenerating the self-signed certificate fixes this problem :)



来源:https://stackoverflow.com/questions/59356528/kubernetes-tls-secret-certificate-expiration

标签
ssl
Kubernetes
certificate
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!