Hi!
I’ve set up a custom domain on a new K8s rack on AWS and when I visit it, I see an error that the certificate is invalid. Chrome says the site is using the “Kubernetes Ingress Controller Fake Certificate”. Any idea how to fix this?
2 Likes
Turns out wildcard domains don’t work (yet) in gen.3 racks. By taking out the wildcard host, it worked.
Any chance you could share an example of the configs you set up?
I’m following the docs here:
And I’ve set up the CNAME to point to the router as reported by the convox rack command, but when I access it, I get the same message.
My DNS entry:
cvx-arc.arcadehub.co CNAME router.630a81e2f821244c.convox.cloud
My convox.yml:
services:
web:
build: .
command: bundle exec unicorn -c config/unicorn.rb
health: /health-k8s
port: 3000
domain: ${HOST}
environment:
- "*"
when I run wget https://cvx-arc.arcadehub.co/health, I get this:
--2020-07-24 15:28:47-- https://cvx-arc.arcadehub.co/health
Resolving cvx-arc.arcadehub.co (cvx-arc.arcadehub.co)... 13.239.103.172, 13.237.89.13, 52.63.139.65
Connecting to cvx-arc.arcadehub.co (cvx-arc.arcadehub.co)|13.239.103.172|:443... connected.
ERROR: cannot verify cvx-arc.arcadehub.co's certificate, issued by ‘CN=Kubernetes Ingress Controller Fake Certificate,O=Acme Co’:
Unable to locally verify the issuer's authority.
ERROR: no certificate subject alternative name matches
requested host name ‘cvx-arc.arcadehub.co’.
To connect to cvx-arc.arcadehub.co insecurely, use `--no-check-certificate'.
$ convox env get HOST
cvx-arc.arcadeub.co
I’ve been having similar issues and my configuration is similar to yours. I am using Digital Ocean though (not sure if that makes a difference). I noticed it can sometimes take awhile for the cert to be generated (30-60 mins). I have been having problems though with the cert not being generated even after several hours though and there does not seem to be many options to debug the issue. The steps I’ve been taking are (a) delete and re-create the app (b) re-deploy and © update the HOST variable. After struggling for nearly a day it appears my certs have finally been generated. The last thing I did before they started working was to reduce the number of domains in the HOST variable from around 8 down to 3 and re-deploy. I can’t say whether that was related though or if it was just a random occurrence.
It would be nice if there were more insight into what was happening. I suspect maybe there was an error in the generation but it isn’t getting logged anywhere (that I can see).
Devs please take note, it would be nice if the tool gave better insight into what was happening. I noticed the CLI has ssl and cert commands but those look like there only for manual cert creation. At least when I run those on my rack/app the output is empty.
1 Like