kubernetes/website

CN missmatch in Securing nginx example

Open

#33.169 aperta il 24 apr 2022

Vedi su GitHub
 (15 commenti) (1 reazione) (1 assegnatario)HTML (13.918 fork)batch import
help wantedlifecycle/frozentriage/accepted

Metriche repository

Star
 (4127 star)
Metriche merge PR
 (Merge medio 16g 13h) (160 PR mergiate in 30 g)

Descrizione

In the page - https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#securing-the-service there are two methods provided, to create certificate for setting up nginx with SSL:

  1. Using "make keys KEY=/tmp/nginx.key CERT=/tmp/nginx.crt" inside https://github.com/kubernetes/examples/tree/master/staging/https-nginx/
  2. Using openssl command.

In method 1, the subj used is CN=nginxsvc/O=nginxsvc and in method 2 its /CN=my-nginx/O=my-nginx

Further down the document, to access the site without SSL error following command is provided: kubectl exec curl-deployment-1515033274-1410r -- curl https://my-nginx --cacert /etc/nginx/ssl/tls.crt

This command works fine if the certificate is generated using method 2. However it will give following error if method 1 is used: kubectl exec curl-deployment-948555475-7mnx9 -- curl https://my-nginx --cacert /etc/nginx/ssl/tls.crt curl: (51) SSL: certificate subject name 'nginxsvc' does not match target host name 'my-nginx' command terminated with exit code 51

The subj can be changed in https://github.com/kubernetes/examples/blob/master/staging/https-nginx/Makefile to match my-nginx, however I am not sure if it would impact other examples.

Any suggestions/comments?

Guida contributor