kubernetes/website

CN missmatch in Securing nginx example

Open

#33 169 ouverte le 24 avr. 2022

Voir sur GitHub
 (15 commentaires) (1 réaction) (1 assigné)HTML (13 918 forks)batch import
help wantedlifecycle/frozentriage/accepted

Métriques du dépôt

Stars
 (4 127 stars)
Métriques de merge PR
 (Merge moyen 16j 13h) (160 PRs mergées en 30 j)

Description

In the page - https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#securing-the-service there are two methods provided, to create certificate for setting up nginx with SSL:

  1. Using "make keys KEY=/tmp/nginx.key CERT=/tmp/nginx.crt" inside https://github.com/kubernetes/examples/tree/master/staging/https-nginx/
  2. Using openssl command.

In method 1, the subj used is CN=nginxsvc/O=nginxsvc and in method 2 its /CN=my-nginx/O=my-nginx

Further down the document, to access the site without SSL error following command is provided: kubectl exec curl-deployment-1515033274-1410r -- curl https://my-nginx --cacert /etc/nginx/ssl/tls.crt

This command works fine if the certificate is generated using method 2. However it will give following error if method 1 is used: kubectl exec curl-deployment-948555475-7mnx9 -- curl https://my-nginx --cacert /etc/nginx/ssl/tls.crt curl: (51) SSL: certificate subject name 'nginxsvc' does not match target host name 'my-nginx' command terminated with exit code 51

The subj can be changed in https://github.com/kubernetes/examples/blob/master/staging/https-nginx/Makefile to match my-nginx, however I am not sure if it would impact other examples.

Any suggestions/comments?

Guide contributeur