Hi,
trying to get my head around the certificate handling in rancher(2.3.6)/nginx-ingress.
Im using cert-manager.
Without appending ca.crt to tls.crt verifying with openssl:
openssl s_client -connect :443
will say:
Verify return code: 21 (unable to verify the first certificate)
OK, so I jumping into the nginx.conf on the ingress:
nginx.conf:
ssl_certificate_by_lua_block {
certificate.call()
}
ssl_client_certificate /etc/ingress-controller/ssl/-rpc-server.pem;
So, checking the pem:
-----BEGIN CERTIFICATE-----
server certificate
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
server key
----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
CA certificate
-----END CERTIFICATE-----
I would expect this to work, but i does’nt
If appending ca.crt to the tls.crt (cat server.crt ca.crt > tls.crt) it’s working fine, and the nignx pem will be:
-----BEGIN CERTIFICATE-----
server certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA certificate
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
server key
----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
CA certificate
-----END CERTIFICATE-----
So my question is this:
Why is it really necessary to have the CA twice to get the chain ok?
In my context, it makes using cert-manager/ipxe a bit troublesome.
br hw