Issue with multiple domains and SSL certificates when using ingress-gce

[rweindl]

I am exposing a micro service running on GCP's kubernetes engine via Google's Ingress load balancer. According to [Here] the load balancer supports multiple SSL certificates for different domain names via SNI lookup.

However, only the first specified SSL certificate is returned and therefore I receive a Your connection is not private warning for a domain-b. I would love to make an ingress controller for several domains each with their own certificate.

My investigation shows that always the first specified SSL certificate is returned as the server certificate while performing the TLS handshake. (In the example below always certificate domain-a-net would be returned.

I verified that assumption as proposed in Here by calling the different domains with curl -k -v <domain_name>. Changing the order of the tls hosts will return a different certificate.

I tested it with two different ingress.yaml formats:

Version 1:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: some-name
spec:  
  tls:
  - hosts: 
    - www.domain-a.net
    - domain-a.net
    secretName: domain-a-net
  - hosts: 
    - www.domain-b.org
    - domain-b.org
    secretName: domain-b-org
  backend:
    serviceName: some-name
    servicePort: 443

Version 2:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress
spec:
  rules:
  - host: domain-a.net
    http:
      paths:
        - path: /*
          backend:
            serviceName: some-name
            servicePort: 443    
  - host: www.domain-a.net
    http:
      paths:
        - path: /*
          backend:
            serviceName: some-name
            servicePort: 443
  - host: www.domain-b.org
    http:
      paths:
        - path: /*
          backend:
            serviceName: some-name
            servicePort: 443
  - host: domain-b.org
    http:
      paths:
        - path: /*
          backend:
            serviceName: some-name
            servicePort: 443
  tls:
  - hosts:
    - www.domain-a.net
    - domain-a.net
    secretName: domain-a-net  
  - hosts:
    - www.domain-b.net
    - domain-b.net
    secretName: domain-b-net 

Thanks for taking a look into that issue.

[anderspetersson]

Are you running Ingress GCE at-least version 1.1.0? https://github.com/kubernetes/ingress-gce/blob/master/CHANGELOG.md#110

[rramkumar1]

@rweindl As previously stated, you need to be running version 1.1 to get this feature.

[rweindl]

Thanks @anderspetersson and @rramkumar1 for pointing that out! Since I first recently created my cluster I thought I am using already the newest version of Ingress GCE. Can you please quickly point out how I can inspect/print my running version of Ingress GCE.

[rramkumar1]

@rweindl We don't surface this at the moment. For now, you can take a look at:

https://github.com/kubernetes/ingress-gce#gce--gke-version-mapping

We try to keep this version mapping as up-to-date as possible

[rweindl]

@rramkumar1 Thanks for providing me this mapping! Upgrading my GCE and GKE, and then redeploying my ingress load balancer helped!

gcloud container clusters upgrade <cluster-version> --cluster-version=latest

[Dean-Christian-Armada]

Version 1.9.7 GKE is confusing, I thought I was using an updated enough version as I just started as well