Rancher 2.3 - set up mutual authentication

Hi everybody
As I’ve written in the topic name, I’m trying to set up a mutual authentication where the server CA and the client CA are different.
What I’ve done till now is:

  • config a secret where I’ve put:

    • ca.crt -> root and intermediate certicate of the CLIENT CA
    • tls.crt -> public SERVER cert
    • tls.key -> private SERVER key

Inside the Ingress Rule I’ve set the following annotation:

  • nginx.ingress.kubernetes .io/auth-tls-verify-client: “on”
  • nginx.ingress.kubernetes .io/auth-tls-secret: “default/ca-secret”

Rancher’s cluster is running behind an internal proxy, for this I have a private dns name and a public one (for
the mutual auth I’m using the public dns name). Related to this, inside the ingress I’ve set correct TLS
certificate and hostname (without all the TLS conf I can reach a Pod without problem )

From the Nginx, vers. openresty/1.15.8.2, logs I can see that everything is up & running (I don’t have errors about the given certificates).

But, every time I’ve tried to load the exposed endpoint with the right certificates, I’ve got always the same error:

  • 400 Bad Request
  • with status code 400

without certificate the error is always 400 but with a message “No required SSL certificate was sent”, that makes sense

Other strange thing: the rewrite rule annotation, nginx.ingress.kubernetes. io/rewrite-target that I was using
with rancher 2.2, is not working anymore, why?

(the annotations listed above has a whitespace before the “.io” for avoid to be recognized as links)