kubernetes/website

CN missmatch in Securing nginx example

Open

#33,169 opened on Apr 24, 2022

View on GitHub
 (15 comments) (1 reaction) (1 assignee)HTML (13,918 forks)batch import
help wantedlifecycle/frozentriage/accepted

Repository metrics

Stars
 (4,127 stars)
PR merge metrics
 (Avg merge 16d 13h) (160 merged PRs in 30d)

Description

In the page - https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#securing-the-service there are two methods provided, to create certificate for setting up nginx with SSL:

  1. Using "make keys KEY=/tmp/nginx.key CERT=/tmp/nginx.crt" inside https://github.com/kubernetes/examples/tree/master/staging/https-nginx/
  2. Using openssl command.

In method 1, the subj used is CN=nginxsvc/O=nginxsvc and in method 2 its /CN=my-nginx/O=my-nginx

Further down the document, to access the site without SSL error following command is provided: kubectl exec curl-deployment-1515033274-1410r -- curl https://my-nginx --cacert /etc/nginx/ssl/tls.crt

This command works fine if the certificate is generated using method 2. However it will give following error if method 1 is used: kubectl exec curl-deployment-948555475-7mnx9 -- curl https://my-nginx --cacert /etc/nginx/ssl/tls.crt curl: (51) SSL: certificate subject name 'nginxsvc' does not match target host name 'my-nginx' command terminated with exit code 51

The subj can be changed in https://github.com/kubernetes/examples/blob/master/staging/https-nginx/Makefile to match my-nginx, however I am not sure if it would impact other examples.

Any suggestions/comments?

Contributor guide