failed to parse certificate from server: x509: cannot parse dnsName

[dkoshkin]

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):

---

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
BUG REPORT

NGINX Ingress controller version:
0.11.0

Kubernetes version (use kubectl version):

Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.3", GitCommit:"d2835416544f298c919e2ead3be3d0864b52323b", GitTreeState:"clean", BuildDate:"2018-02-07T11:55:20Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}

Environment:

• Cloud provider or hardware configuration:
  AWS
• OS (e.g. from /etc/os-release):

NAME="Ubuntu"
VERSION="16.04.1 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.1 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
UBUNTU_CODENAME=xenial

• Kernel (e.g. uname -a):

Linux ip-10-0-3-226 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

• Install tools:
  Kismatic
• Others:

What happened:
Installing on a cluster that uses Amazon Route 53 DNS name as an endpoint for the API server.
Error in 0.11.0 that worked with the same setup in the previous versions.

I0308 16:44:26.897598       5 main.go:212] unexpected error discovering Kubernetes version (attempt Get https://172.20.0.1:443/version: tls: failed to parse certificate from server: x509: cannot parse dnsName "1520520257.kismatic.integration-tests."): 6

The contents of the cert for the api:

        Subject: CN=ip-10-0-3-226.ec2.internal
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:ip-10-0-3-226.ec2.internal, DNS:1520520257.kismatic.integration-tests., IP Address:127.0.0.1, IP Address:172.20.0.1, IP Address:184.73.149.217, IP Address:127.0.0.1, IP Address:10.0.3.226

What you expected to happen:
Ingress pod should start up as it has before.

How to reproduce it (as minimally and precisely as possible):
Checkout the Kismatic and run:

LEAVE_ARTIFACTS=true FOCUS="'Upgrading a cluster using online mode From KET version v1.9.0 Using a skunkworks cluster'" make focus-integration-test

Anything else we need to know:
I understand this is probably an issue with some downstream dependency would be great to get some direction which project and I can open an issue there.

[trunet]

golang 1.9 included some extra x509 certificates validation and ingress is being compiled with it or newer.

as a workaround, you can generate your own ingress docker image compiling with golang 1.8.

for the real fix, probably you need to check some RFCs to back you up and open an issue at golang.

https://tools.ietf.org/html/rfc5280#section-4.2.1.6 points to https://tools.ietf.org/html/rfc1034#section-3.5 that says that numbers/digits/dash are ok.

[dkoshkin]

Looks like the implementation of domainToReverseLabels changed in Go 1.9.

The new version no longer supports . at the end in 1520542839.kismatic.integration-tests.

Removing the . at the end when generating the cert fixed it and the DNS name was still resolvable on the nodes.

https://play.golang.org/p/usD3D8LtLSI

[cjlarose]

Just adding some context here since I landed on this issue from a Google search and it wasn't clear to me what the status was.

Relevant issue on the golang Github golang/go#23995

The fix appears to be https://golang.org/cl/96378, which was merged into Go 1.10.1

The upgrade to Go 1.10.1 was here: #2273. This change has not yet landed in a release of ingress-nginx. If you can afford to go back to ingress-nginx version 0.9.0, then you should be fine since that version was using a version of Go that did not have the x509 certificate parsing error.

If you, like me, want to run ingress-nginx on Docker for Mac, you can do this:

curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/namespace.yaml \
    | kubectl apply -f -
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/default-backend.yaml \
    | kubectl apply -f -
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/configmap.yaml \
    | kubectl apply -f -
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/tcp-services-configmap.yaml \
    | kubectl apply -f -
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/udp-services-configmap.yaml \
    | kubectl apply -f -
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/without-rbac.yaml \
    | kubectl apply -f -
kubectl patch deployment -n ingress-nginx nginx-ingress-controller --type='json' \
  --patch='[{"op": "replace", "path": "/spec/template/spec/containers/0/image", "value":"quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0"}]'
kubectl patch deployment -n ingress-nginx nginx-ingress-controller --type='json' \
  --patch="$(curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/publish-service-patch.yaml)"
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/gce-gke/service.yaml \
    | kubectl apply -f -

Edit: ingress-nginx version 0.13.0 contains the fix to upgrade to Go 1.10.1