nginx ingress controller not routing https

Daniel Watrous

unread,

Apr 14, 2017, 11:04:23 AM4/14/17

to Kubernetes user discussion and Q&A

I am using the nginx ingress controller on two k8s clusters. On one the HTTPS works as expected, but on the other HTTPS traffic always routes to the default 404 backend. I'm not sure how to troubleshoot this.

I have the TLS secret setup and the ingress references it. The ingress controller does serve up https, but only the default 404 backend. A few lines from the ingress controller logs:

127.0.0.1 - [127.0.0.1] - - [14/Apr/2017:02:15:15 +0000] "GET /login?from=%2F HTTP/2.0" 404 142 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" 29 0.002 [upstream-default-backend] 10.200.46.5:8080 21 0.002 404
::ffff:10.200.41.0 [14/Apr/2017:02:15:16 +0000] TCP [] [nginx-ssl-backend] 200 0 0 0.025
::ffff:10.200.35.0 [14/Apr/2017:02:15:03 +0000] TCP [jenkins.brdos1.k8s-dev.company.com] [nginx-ssl-backend] 200 215 51 0.059
::ffff:10.200.35.0 - [::ffff:10.200.35.0] - - [14/Apr/2017:15:00:11 +0000] "GET /login?from=%2F HTTP/1.1" 200 1826 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" 471 0.008 [shared-tools-jenkins-service-8080] 10.200.33.2:8080 1814 0.008 200

The first log represents a valid request to the correct route, but it's returning a 404.

I'm not sure what triggers the next two lines, but the third line is the route that I would expect to serve my application (jenkins.brdos1.k8s-dev.company.com).

The fourth line shows a call to the same ingress route, but over http. This does serve my application. Here's my ingress.yaml. Any ideas?

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: jenkins-ingress
  namespace: shared-tools
spec:
  tls:
  - hosts:
    - jenkins.brdos1.k8s-dev.company.com
    secretName: jenkins-secret
  rules:
  - host: jenkins.brdos1.k8s-dev.company.com
    http:
      paths:
      - backend:
          serviceName: jenkins-service
          servicePort: 8080

Warren Strange

unread,

Apr 14, 2017, 10:52:24 PM4/14/17

to Kubernetes user discussion and Q&A

I have the same issue.

Possibly https://github.com/kubernetes/ingress/issues/277 ?

Daniel Watrous

unread,

Apr 17, 2017, 10:09:42 AM4/17/17

to Kubernetes user discussion and Q&A

This may be a little different. I just posted a new issue:

https://github.com/kubernetes/ingress/issues/616

For some unknown reason, this works on one cluster but not on another. The nginx.conf isn't being written with the TLS certificates and told to listen on port 443.

One idea that I may test later is that it's hard coded to look for TLS certificates only in the default namespace, since that is one difference between environments. Beyond that I'll need a couple of pointers to know where to start looking in the code.

Daniel

Daniel Watrous

unread,

Apr 17, 2017, 12:09:11 PM4/17/17

to Kubernetes user discussion and Q&A

I discovered that the issue was a certificate that didn't include the common name to match the ingress host.

More details here: https://github.com/kubernetes/ingress/issues/616

Reply all

Reply to author

Forward