kubernetes-ingress icon indicating copy to clipboard operation
kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon nginxinc

Configure multiple certificates for the same domain name

Open alexandersm opened this issue 4 years ago • 2 comments
trafficstars

Hello,

In the Nginx documentation at http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate there is a possibility to specify ssl_certificate / ssl_certificate_key directives multiple times for the same domain name.

Is it possible to configure Nginx Ingress to use more than one TLS secret for the same domain name ? I've tried the following configuration :


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-for-ingress-ingress
 
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        -  my.domain.com
      secretName: test1

    - hosts:
        -  my.domain.com
      secretName: test2

  rules:
  - host: my.domain.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: httpservice
            port:
              number: 9050

but then I checked resulting Nginx configuration inside the ingress pod and found out that only certificate and key from the second secret is used.

Thanks in advance for the help

Aha! Link: https://nginx.aha.io/features/IC-304

alexandersm avatar Aug 25 '21 10:08 alexandersm

Hi @alexandersm thanks for reporting!

Be sure to check out the docs while you wait for a human to take a look at this :slightly_smiling_face:

Cheers!

github-actions[bot] avatar Aug 25 '21 10:08 github-actions[bot]

Hi @alexandersm

The Ingress Controller doesn't support multiple TLS secrets. However, could you possible try the following workaround?

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    nginx.org/server-snippets: |
      ssl_certificate /etc/nginx/secrets/default-second-cafe-secret; # namespace-name
      ssl_certificate_key /etc/nginx/secrets/default-second-cafe-secret; # namespace-name
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - cafe.example.com
    secretName: cafe-secret
  - hosts: # this part is needed so that the IC gets the second-cafe-secret from k8s API and store it on the file system at /etc/nginx/secrets/namespace-name
    - random-workaround-host 
    secretName: second-cafe-secret
  rules:
  - host: cafe.example.com

pleshakov avatar Aug 25 '21 23:08 pleshakov