Ingress no-tls-redirect-locations not working

[brunoslalmeida]

Nginx ingress should have no-tls-redirect-locations configured to not redirect request made to "/.well-known/acme-challenge" to https. This is important to make it possible to auto renew certificates via cert-manager

Summary

Nginx ingress should have no-tls-redirect-locations configured to not redirect request made to "/.well-known/acme-challenge" to https. This is important to make it possible to auto renew certificates via cert-manager

What Should Happen Instead?

By creating a path "/.well-known/acme-challenge" no ssl-redirect should be made.

Reproduction Steps

1. Create a TLS ingress
2. Create another ingress with just http and path "/.well-known/acme-challenge"
3. Access this last endpoint

Introspection Report

Can you suggest a fix?

Are you interested in contributing with a fix?

yes

[neoaggelos]

Hi @brunoslalmeida, thank you for reporting the issue, sorry it took long to reply.

I'm not sure if changing the defaults would be desirable in order to facilitate one particular use-case. Further, I haven't had the same experience, I have not had any issues with cert-manager certificate issuing and renewal.

Can you elaborate on the issue you are having, and how the suggested fix has helped you work-around it?

Thanks!

[brunoslalmeida]

Sure, sorry for the late response.

1. Install microk8s
2. enable ingress
3. install cert-manager (https://cert-manager.io/docs/installation/kubectl/)
4. add lets encrypt http01 issuer (https://cert-manager.io/docs/configuration/acme/)
5. create a new service to use ssl (just / to any pod)

Expected result:

1. The issuer is triggered
2. a new ingress is create to solve ACME challenge
3. challenge is completed a valid ssl cert is generated

Result

1. ok
2. ok
3. not ok. At this time, the challenge is never resolved. This happens because the http is transformed into https and the request is route to the application and not the solver ingress.

[brunoslalmeida]

The no-tls-redirect-locations was added to nginx-ingress, but in a version more updated than the one present in microk8s.

https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#no-tls-redirect-locations

A comma-separated list of locations on which http requests will never get redirected to their https counterpart. default: "/.well-known/acme-challenge"

[brunoslalmeida]

Hey @neoaggelos did you had time to look at my text?

Best regards

[neoaggelos]

5. create a new service to use ssl (just / to any pod)

what does the resource manifest look like? In my experience, creating a service and an ingress route for it should be all that is required. Cert-manager will ensure that /.acme-challenge paths are served with HTTP and not HTTPS.

[brunoslalmeida]

Yup thats correct, but when the ingress receive http /.acme-challenge it is changed to https and the connection goes to the service and not to acm.

I will create a small example and will post here

[brunoslalmeida]

This is the example code: https://github.com/brunoslalmeida/microk8s-ingress.git

As can you can check at the app logs, it is receiving .well-known request even though the ACM ingress was correctly created.

The correct behavior would be to not convert http request from .well-known to https as it is happening. As can be checked here:

Like described here: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#no-tls-redirect-locations

A comma-separated list of locations on which http requests will never get redirected to their https counterpart. default: "/.well-known/acme-challenge"

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.