As I’ve written in the topic name, I’m trying to set up a mutual authentication where the server CA and the client CA are different.
What I’ve done till now is:
config a secret where I’ve put:
- ca.crt -> root and intermediate certicate of the CLIENT CA
- tls.crt -> public SERVER cert
- tls.key -> private SERVER key
Inside the Ingress Rule I’ve set the following annotation:
- nginx.ingress.kubernetes .io/auth-tls-verify-client: “on”
- nginx.ingress.kubernetes .io/auth-tls-secret: “default/ca-secret”
Rancher’s cluster is running behind an internal proxy, for this I have a private dns name and a public one (for
the mutual auth I’m using the public dns name). Related to this, inside the ingress I’ve set correct TLS
certificate and hostname (without all the TLS conf I can reach a Pod without problem )
From the Nginx, vers. openresty/18.104.22.168, logs I can see that everything is up & running (I don’t have errors about the given certificates).
But, every time I’ve tried to load the exposed endpoint with the right certificates, I’ve got always the same error:
- 400 Bad Request
- with status code 400
without certificate the error is always 400 but with a message “No required SSL certificate was sent”, that makes sense
Other strange thing: the rewrite rule annotation, nginx.ingress.kubernetes. io/rewrite-target that I was using
with rancher 2.2, is not working anymore, why?
(the annotations listed above has a whitespace before the “.io” for avoid to be recognized as links)