TLS Error #3496
Comments
|
Hey @sanketshirode, it's possible that there is a validation error happening and the "secret not found" is misleading. Would you be able to tail your Contour logs to see if there's something that pops up? Contour looks for the following in a secret:
If any of those are invalid the secret doesn't get added to Contour's cache, so later on when your HTTPProxy references the secert, it's "not found" since it's not in the cache. |
|
Hey @stevesloka thanks a lot for responding. Please take a look at my secret given here Nothing I could find in the contour logs, which can relate to this error. Please let me know anything else I could check ? |
|
Hey @sanketshirode, could you restart an instance of Contour then look at the logs? If that secret doesn't change I bet that the logs would get lost. Can you verify your certs have a commonname and subject alt name? Also how did you provision the cert? |
|
Hey @stevesloka you were right, now I can see the logs complaining about missing CN or Sub Alt Name but when I checked both are present in cert. Please check the attached screen shot
And this is the log complaining about cert
|
|
only thing is this is a wild card certificate and I think it shouldn't be an issue |
|
Hi @sanketshirode, yes, I think you're right, I think that this is a bug in our cert-validation code, based on those screenshots, the cert should validate. I think it could be one of two things:
I'll drop this in our 'Needs investigation' column on our Project Board, and we'll get someone to take a look. |
youngnick
added
the
lifecycle/needs-triage
|
@sanketshirode, sorry about the delay on this one, any chance you could give some more information about how you got that cert? I need to try and reproduce the issue, so I'll need to make a similar one somehow. |
|
I seem to have the same issue. The only practical difference in the certificates is:
Using a self-signed CA I created a certificate that does list the same url as CN and SAN, but no luck either. It produces a log message like this (but the mentioned secret definitely exists): My contour version is 1.19.1. Is there some progress in the triage? |
|
Thanks for that additional report @zlubsen. I should be able to use this to replicate the problem. I'll start checking this one out today and see what I can see, along with some other issues we've found with the TLS certificate validation. In terms of your last question, to reset the Contour cache, the easiest way is to restart the Contour pod (or pods). |
youngnick
added
the
lifecycle/accepted
This commit updates the Secret validation framework to address bugs around CA certificates, certificates with no CN, and various combinations of the above. Also updates documentation to make the rules for the types of Secrets clearer. Updates projectcontour#2372 Updates projectcontour#3889 Updates projectcontour#3496 Future work is to add some of these checks into the e2e tests, and ensure that all these configs produce valid Envoy config, with no NACKs. Signed-off-by: Nick Young <[email protected]>
This commit updates the Secret validation framework to address bugs around CA certificates, certificates with no CN, and various combinations of the above. Also updates documentation to make the rules for the types of Secrets clearer. Updates projectcontour#2372 Updates projectcontour#3889 Updates projectcontour#3496 Future work is to add some of these checks into the e2e tests, and ensure that all these configs produce valid Envoy config, with no NACKs. Signed-off-by: Nick Young <[email protected]>
This commit updates the Secret validation framework to address bugs around CA certificates, certificates with no CN, and various combinations of the above. Also updates documentation to make the rules for the types of Secrets clearer. Updates projectcontour#2372 Updates projectcontour#3889 Updates projectcontour#3496 Future work is to add some of these checks into the e2e tests, and ensure that all these configs produce valid Envoy config, with no NACKs. Signed-off-by: Nick Young <[email protected]>
This commit updates the Secret validation framework to address bugs around CA certificates, certificates with no CN, and various combinations of the above. Also updates documentation to make the rules for the types of Secrets clearer. Updates #2372 Updates #3889 Updates #3496 Future work is to add some of these checks into the e2e tests, and ensure that all these configs produce valid Envoy config, with no NACKs. Signed-off-by: Nick Young <[email protected]>
|
@sanketshirode, I believe that the fix I merged in #4165 should fix this, but I'm not one hundred percent sure. Is there any way you could test with |
sunjayBhatia
removed
the
lifecycle/needs-triage
|
Per #3496 (comment) we believe this has been fixed. Closing out the issue, but feel free to reach out again if you do further testing against |
I'm facing issue when configuring certificate in httpproxy. Below are the details of the error
Errors:
Message: Spec.VirtualHost.TLS Secret "vc-staging-cert" is invalid: Secret not found
Reason: SecretNotValid
Status: True
Type: TLSError
But the secret exists in the same namespace as proxy , also I tried tls delegation but same error. Please check below screenshots for reference:
The text was updated successfully, but these errors were encountered: