TLS Client-Side authentication

[Drupi]

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):

---

Is this a BUG REPORT or FEATURE REQUEST? (choose one):

BUG

NGINX Ingress controller version:
0.12.0

Kubernetes version (use kubectl version):
1.10

Environment:

• Cloud provider or hardware configuration: Azure
• OS (e.g. from /etc/os-release): Debian
• Kernel (e.g. uname -a):
• Install tools: acs-engine
• Others:

What happened:
even after I provide the tls certificate and annotations in ingress
kubernetes.io/ingress.class: "nginx"
ingress.kubernetes.io/auth-tls-secret: "default/caingress"
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3"
ingress.kubernetes.io/force-ssl-redirect: "true"

the client-side auth is not working -it's allow access through browser
What you expected to happen:
When I do curl --insecure https://URL I should get:

<title>400 No required SSL certificate was sent</title>

400 Bad Request

No required SSL certificate was sent

---

nginx/1.11.12

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know:
It's working on this version of nginx:
quay.io/aledbf/nginx-ingress-controller:0.89

[aledbf]

@Drupi I think your issue is related to the annotations prefix. Make sure this are the annotations are

nginx.ingress.kubernetes.io/auth-tls-secret: "default/caingress"
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

and you are using the latest version of the ingress controller.

[Drupi]

Ok, I done it but still I'm able to reach the probe with curl --insecure.

[Drupi]

So, currently is not working on official image, at least i'm not so strong in the force to configure it. I used the image from. Quay.io/aledbf and it is working perfect.

[lszymik]

I am also affected by that issue. Yesterday, I was able to get it running with use of this image:
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.11.0
Do you know if a next release will have it fixed?

[aledbf]

@Drupi @lszymik this is currently fixed in master #2270
Next release is scheduled for next week.

[lszymik]

@aledbf Thank you very much. It is a really great news. Cheers

[ChiZhangCZ]

Hi, I know this had been closed for a while but I have the same issue running kubernetes on AWS with NGINX Ingress controller version: 0.21.0. Exec'ing into the controller pod shows all the configurations have been applied but I still don't get a 400 error when navigation to the host without a certificate

[joeherm]

@ChiZhangCZ Did you ever figure this out?

[nimish]

This is happening to me, as of the very latest nginx-ingress controller. I'm able to somehow bypass the cert check.

[ChiZhangCZ]

Just an update on this, my issue was that my load balancer was not configured for TCP passthrough, meaning the certificate resolution was happening at the loadbalancer level, and not actually being handled by the ingress controller. Apologies for the late response.