question

Ipo-9558 avatar image
0 Votes"
Ipo-9558 asked GitaraniSharmaMSFT-4262 edited

SSL certificate verify result: unable to get local issuer certificate (20)

Hi everyone. I was going through this [microsoft documentation][1] to implement TLS in nginx ingress controller for my application running in Azure Kubernetes Service. My ingress resource is below

 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: my-ingress
   namespace: my-ingress-ns
 spec:
   ingressClassName: nginx
   tls:
   - hosts:
     - my_azure_private_dns
     secretName: ingress-tls
   rules:
   - host: my_azure_private_dns
     http:
       paths: 
       - path: /data/
         pathType: Prefix
         backend:
           service:
             name: svc1
             port:
               number: 80
       - path: /programs/
         pathType: Prefix
         backend:
           service:
             name: svc1
             port:
               number: 80

the ingress resource is deployed in the same namespace as my app pod and service. the TLS Secret (ingress-tls) is also deployed to the same namespace as the ingress resource, app and service. Since my company is the CA, i ran the update-ca-certificates to trust the root certificates when the k8s deployment is created using a bash script which acts as the entry point to my dockerfile

 start.sh
    
 #!/bin/sh
 update-ca-certificates
 dotnet my.App.dll

 dockerfile
    
 ...
 CMD ["./start.sh"]

after my deployemnt is created and i exec into the pod, i can see that the root certificates has been installed in /etc/ssl/certs

The problem is when i try to access my app thro my azure private dns i have this error: NET::ERR_CERT_AUTHORITY_INVALID
and when i run curl: curl https://my_azure_private_dns/data -kv

it shows me this error: * SSL certificate verify result: unable to get local issuer certificate (20)

Please can someone tell me where i am wrong? Thank you
[1]: https://docs.microsoft.com/en-us/azure/aks/ingress-own-tls?tabs=azure-cli






azure-kubernetes-service
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

CristianSPIRIDON72 avatar image
0 Votes"
CristianSPIRIDON72 answered Ipo-9558 edited

Hi,

The CN in the certificate has to match the host name from the https query.

Can you check if that is the case?

Is possible that the certificate was issued with the public host name.

Hope this helps!

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, thanks for your response. I later found out what was causing the error. I needed also to trust the Root and Intermediate Certificates on the VM that i used to access the dns from a web browser

0 Votes 0 ·