Currently if i try to hit a microservice which has https rest endpoint in my local(mac) with a created ssl certifacte i get proper output. During creation of local machine ssl certificate i have used CN(common name) as localhost. I used openssl.
For k8s case, we have ingress which will communicate to that microservice using forwardauth through https, there i have used different ssl certificate where tried to use DNS name (sample-domain1-lb.sample-domain1-ns.svc.cluster.local) as using CN name gives error in traefik ingress.
Now i am getting 500 response from traefik ingress . But if I use tls.insecureSkipVerify: true in middleware forwardauth config then it will work, where microservice url is https://sample-domain1-lb.sample-domain1-ns.svc.cluster.local:8080/auth
Any help is highly appreciated
traefike ingress Debug log:
"time="2022-12-08T13:08:09Z" level=debug msg="Error calling https://sample-domain1-lb.sample-domain1-ns.svc.cluster.local:8080/auth. Cause: Get \"https://sample-domain1-lb.sample-domain1-ns.svc.cluster.local:8080/auth\": x509: certificate is not valid for any names, but wanted to match sample-domain1-lb.sample-domain1-ns.svc.cluster.local" middlewareName=sample-domain1-ns-test-auth@kubernetescrd middlewareType=ForwardedAuthType"
Openssl cmds used:
openssl genrsa -out key.pem 2048 -config openssl.cnf
#Generate a Certificate Signing Request:
openssl req -new -sha256 -key key.pem -out csr.csrz -config openssl.cnf
#Generate a self-signed x509 certificate suitable for use on web servers.
openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csrz -out certificate.pem
#Create SSL identity file in PKCS12 as mentioned here
openssl pkcs12 -export -out client-identity.p12 -inkey key.pem -in certificate.pem
Openssl config file:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
[ req_ext ]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = sample-domain1-lb.sample-domain1-ns.svc.cluster.local
DNS.2 = sample-domain1-lb.sample-domain1-ns.svc.cluster.local.com
openssl data output:
Country Name (2 letter code) []:US
State or Province Name (full name) []:VA
Locality Name (eg, city) []:SomeCity
Organization Name (eg, company) []:MyCompany
